System and method for centralized analytics for edge devices with enrichment pushdown

ABSTRACT

The computerized method is shown and includes obtaining input from a data stream at an electronic device, wherein the input includes machine data, wherein the electronic device has stored thereon a first query, evaluating the query by processing the input according to the first query, responsive to detecting a failure during evaluation of the query resulting from a lack of enrichment data stored on the electronic device, recording a first identifier corresponding to the enrichment data, transmitting the first identifier to a remote server computer system, receiving a communication from the remote server computer system, wherein the communication includes the enrichment data, and evaluating the query by processing second input from the data stream according to the first query and the enrichment data. In some instances the enrichment data includes contextual information for parsing the data stream and converting extracted data into an alternative format.

FIELD

At least one embodiment of the present disclosure pertains to data analytics for edge devices on a network, and, more particularly, to intelligently throttling data transmission between an edge device and a remote server computer system and the utilization of enrichment data to accurately evaluate queries at an edge device.

BACKGROUND

Information technology environments can include various types of edge devices. In general, an edge device is an electronic device that can form an endpoint of a network connection. An edge device can be a device on an Internet-of-Things (IoT) (an “IoT device”), that can collect data and exchange data on a network. An IoT device can be connected to the network permanently or intermittently. In some cases, an IoT device may include electronics, software, sensors, and network connectivity components included in other devices, vehicles, buildings, or other items. An edge device may perform machine-to-machine (M2M) communications directly with other devices (e.g., device-to-device communication) over a network and may also physically interact with its environment.

Multiple edge devices within an information technology environment can generate large amounts of data (“edge data”) from diverse locations. The edge data may be generated passively (e.g., sensors collecting environmental temperatures) or generated actively (e.g., cameras photographing detected objects). The edge data may include machine-generated data (“machine data”), which can include performance data, diagnostic information, or any other data that can be analyzed to diagnose equipment performance problems, monitor user interactions, and to derive other insights. The large amounts and often-diverse nature of edge data in certain environments can give rise to various challenges in relation to managing, understanding and effectively utilizing the data.

A number of tools are available to analyze data generated by edge devices. To reduce the volume of the potentially vast amount of edge data that may be generated, edge data may be pre-processed based on anticipated data-analysis needs. For example, specified data items may be extracted from or computed based on the edge data and stored in a database to facilitate efficient retrieval and analysis of those data items at a later time. The remainder of the generated edge data typically is not saved and is discarded during pre-processing. However, as storage capacity becomes progressively less expensive and more plentiful, storing massive quantities of minimally processed or unprocessed data (collectively and individually referred to as “raw data”) for later retrieval and analysis is becoming increasingly more feasible.

In general, storing raw edge data and performing analysis on that data later (i.e., at “search time”) can provide greater flexibility because it enables analysis of all of the generated edge data instead of only a small subset of it. This may, for example, enable an analyst to investigate different aspects of the edge data that previously were unavailable for analysis because massive amounts of edge data were discarded.

However, storing and analyzing massive quantities of edge data presents a number of challenges. For example, implementing edge analytics is a computationally intensive process that can push the limits of edge devices that have limited storage and computational capabilities. Moreover, the analytics tools implemented by edge devices fail to benefit from their interconnectedness with other devices.

However, in some embodiments, it may be beneficial to perform some edge analytics. For example, evaluating a data stream received by an edge device using a set of queries may enable an edge device to determine a state of the components being monitored. The edge device may then transmit a signal to a server or core system when a component is in or nearing a particular state. In some embodiments, the edge device may not have sufficient data storage capabilities to store all data required to fully evaluate each query based on the received data stream (e.g., such as contextual data or various definitions used in parsing the data stream and converting received data to desired formats). In such instances, the edge device may need to query the server for the contextual data or various definitions (referred to hereinafter as “enrichment data”). However, many edge devices have a poor network connection, which makes frequent requests to the server difficult as many requests are dropped or otherwise cannot be transmitted/delivered. Additionally, when hundreds or thousands of edge devices are coupled to a single server, the high volume of requests received by the server for enrichment data would render the server useless. Therefore, what is needed is a system and method for determining necessary enrichment data at an edge device and delivery of that enrichment data in an efficient manner.

BRIEF DESCRIPTION OF THE DRAWINGS

One or more embodiments of the present disclosure are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements.

FIG. 1 is a system diagram illustrating a networked computer system (“the system”).

FIG. 2 is a block diagram illustrating a series of events, including raw edge data.

FIG. 3 is a block diagram illustrating components of a data intake and query system.

FIG. 4 is a flow diagram illustrating a process performed by a data intake and query system.

FIG. 5 is a flow diagram illustrating a process performed by a search head and indexers to perform a search query.

FIG. 6 is a block diagram illustrating components of an edge device connected to a server computer system.

FIG. 7 is a block diagram illustrating an operation of an embodiment of the system configured to iteratively update local instructions for data intake and query processes to improve analytics for the edge devices.

FIG. 8 is a block diagram illustrating an operation of an embodiment of the system to improve analytics for edge devices similar to FIG. 7, but which can implement machine learning at the edge devices or the server computer system.

FIG. 9 is an operation flow diagram illustrating an example of an operation flow of an edge device according to an embodiment.

FIG. 10 is an operation flow diagram illustrating an example of an operation flow of a server computer system according to an embodiment.

FIG. 11 is a block diagram illustrating a high-level example of a hardware architecture of a computing system that can be used to implement any one or more of the functional components described herein.

FIG. 12 is a block diagram illustrating components of an edge device connected to a server computer system similar to FIG. 6, and further including components configured to implement an intelligent throttling embodiment according to an embodiment.

FIG. 13A is an exemplary interactive user interface displaying data conveying states of a plurality of edge devices within a geographic region according to an embodiment.

FIG. 13B is a second exemplary interactive user interface displaying data conveying states of a plurality of edge devices within a geographic region.

FIG. 14 is an operation flow diagram illustrating an example of determining, requesting and receiving enrichment data required by an edge device according to an embodiment.

FIG. 15 is an operation flow diagram illustrating an example of retrieving requested enrichment data by a server computer system and transmitting the retrieved enrichment data to one or more edge devices according to an embodiment.

FIG. 16 is an operation flow diagram illustrating an example of process of predictive preloading performed by a server computer system according to an embodiment.

FIG. 17 is a block diagram illustrating components of an edge device connected to a server computer system similar to FIGS. 6 and 12, and further including components configured to implement a query evaluation failure recording and enrichment data request/transmission operations according to an embodiment.

FIG. 18 is an exemplary embodiment of a logical representation of a federated enrichment system of a server computer system and query evaluation and failure recording logic of an edge device according to an embodiment.

FIG. 19 is an data flow diagram illustrating an example of determining, requesting and receiving enrichment data required by an edge device and retrieval and transmission of the enrichment data by a server computer system according to an embodiment.

DETAILED DESCRIPTION

In this description, references to “an embodiment,” “one embodiment” or the like, mean that the particular feature, function, structure or characteristic being described is included in at least one embodiment of the technique introduced herein. Occurrences of such phrases in this specification do not necessarily all refer to the same embodiment. On the other hand, the embodiments referred to also are not necessarily mutually exclusive.

Introduced herein is a technique for improving the performance of computation on, or quality of data generated by, edge devices distributed on a network. In at least some embodiments introduced here, this is done by using a central server to aggregate data output by multiple edge devices (typically though not necessarily all of which have the same or very similar purpose or functionality), and using the central server to generate, based on the aggregated data, new or modified instructions or data (e.g., parameters) for use by the edge devices in generating subsequent output data, to improve their operation or quality of output data. In certain embodiments this is done by iteratively updating instructions or parameters used as part of data intake and query processes in a system that indexes, stores, and facilitates search and analysis of data generated by the edge devices. In general, the instructions can be executed by processors of the edge devices to perform operations as part of their data intake and query processes. Examples of the instructions include operations for performing various computing processes, including but not limited or restricted to, indexing, storing, searching, summarizing, transforming and/or extracting raw data or data items from the raw data generated by an edge device.

The edge devices can index and store data generated locally based on inputs to the edge devices. The edge devices can each process the indexed and stored data to perform local actions. For example, instructions can be search instructions used to retrieve data items from raw data generated by the edge devices, which are used to perform local actions. Local instructions at each edge device can be updated according to an instruction generation process implemented globally across all edge devices or locally at each edge device in a given system.

The system in certain embodiments includes a server computer system that can index and store edge data obtained from the network of edge devices (collectively “global edge data”). The server computer system can update global instructions by using the global edge data from all (or at least more than one) of the edge devices. As used herein, the term “global instructions” can include actual instructions, or data, or a combination of instructions and data. The server computer system can send the global instructions or related data to each of the edge devices. Each edge device can then use the global instructions or related data to replace or modify local instructions used to process data generated locally. By locally using at each edge device local instructions that have been updated from data generated by itself and other edge devices, the system can improve the performance of each edge device based on the data acquired by the network of distributed edge devices.

During operation, at least some of the edge devices can be communicatively connected from the server computer system intermittently. Such a connection can be via a wired or wireless link or via a combination of wired and wireless links, and can be direct or indirect. Edge data and global instructions or related data can be exchanged between an edge device and the server computer system while the edge device is connected to the server computer system. The edge device can continue to operate using the local instructions even when the edge device is disconnected from the server computer system. In some embodiments, any of the edge devices or server computer systems can implement schemas in accordance with the local or global instructions, respectively, to extract data items from unprocessed data or minimally processed data (“raw data”).

Various other features of the technique introduced here to iteratively update instructions or parameters (or other data) used by the edge devices will become apparent from the description that follows. First, however, it is useful to consider an example of an environment and system in which the technique can be employed, as will now be described.

1.0. General Overview

The embodiments disclosed herein generally refer to a system of distributed edge devices connected to a server computer system over a network. However, embodiments of the disclosed system can include many other computing components, such as other servers, sensors, routers, client devices, gateways and host devices that are not described herein for the sake of brevity but are well within the scope of the disclosed embodiments.

FIG. 1 is a system diagram illustrating a networked computer system according to an embodiment. The system 10 includes distributed edge devices 12-1 and 12-2 (also referred to collectively and individually as edge devices 12) and a server computer system 14. The edge devices 12 can be communicatively connected to the server computer system 14 over one or more networks 16. As indicated above, an edge device is generally an electronic device that can form an endpoint connection of a network. Examples of an edge device include a mobile device and an IoT device. For example, the edge devices 12 can be unmanned aerial vehicles (commonly referred to as drones) that connect to the server computer system 14 over the network 16 when the drones are within range of the wireless networks 16 but are disconnected from the network 16 otherwise.

At least some of the edge devices 12 may be only intermittently connected from the networks 16. As shown in FIG. 1, for example, edge device 12-1 is disconnected from the network 16 while edge device 12-2 is connected to the network 16. The edge devices 12 can generate edge data and provide the edge data to the server computer system 14 over the networks 16. In some embodiments, the edge devices 12 can operate autonomously or semi-autonomously to carry out designated tasks. In some embodiments, the edge devices 12 can operate under the control of a user to carry out tasks.

Each of the edge devices 12 can generate edge data locally based on inputs received by the respective edge devices 12, according to their designed functionality. For example, a drone that includes a camera can capture images of objects to generate image data. The edge devices 12 can process the edge data, perform requests from the server computer system 14, and perform numerous other computational tasks. For example, drones can process edge data with local models to identify objects in the captured images. During operation, the edge devices 12 may generate significant volumes of edge data.

The volume of edge data generated by the edge devices 12 can grow at very high rates as the number of edge devices included in the system 10 grows. Examples of edge data can include sensor data or other data generated from inputs to the edge devices 12, from which the edge devices 12 can be used to perform local actions. For example, edge data can include temperature inputs or other parameters obtained by sensors of the edge devices 12. Other examples of edge data can include application program data, system logs, network packet data, error logs, stack traces, and performance data. Edge data can also include diagnostic information, configurations, process control settings, actuator commands and other physical output commands, and many other types of data that can be analyzed to perform local actions, diagnose performance problems, monitor interactions, and derive other insights.

A number of tools are available to analyze edge data. The edge devices 12 or the server computer system 14 can use these tools to analyze the edge data. For example, the edge data can be communicated to the server computer system 14 from the edge devices 12 over networks 16 when connected over the networks 16. Thus, the server computer system 14 could analyze the edge data generated by the edge devices 12. The edge devices 12 can perform actions based on the analyzed data, when returned over the network 16. In some cases, the server computer system 14 can instruct the edge devices 12 to perform actions based on an analysis performed at one or more of the edge devices 12 or at the server computer system 14.

In the illustrated embodiment, the edge devices 12 include local instructions 18. In general, the local instructions 18 can be executed by processors of the edge devices 12 to perform operations on edge data for performing various computing operations, such as indexing, storing, searching, summarizing, transforming and/or extracting data items from raw data generated by an edge device. For example, the instructions 18 can dictate processes for retrieving data items from raw data generated by an edge device. The edge devices 12 can then use the retrieved data items to perform local actions.

Implementing local instructions at the edge devices 12 presents challenges. For example, the edge devices 12 may be deployed with local instructions 18 to extract data items from raw edge data for a particular application. However, the local instructions 18 can become stale when the environment in which the edge devices 12 are deployed changes such that the extracted data items are useless for the intended application. Moreover, the intended application for the edge devices can change and the local instructions 18 may not support the new application. As such, the edge devices 12 cannot adapt to changing environments or applications. Solutions can include updating the local instructions 18 locally at each edge device 12. However, this solution requires physical access to the edge devices 12, which may be infeasible if the edge devices 12 are installed in remote or isolated locations or are generally inaccessible. Moreover, this solution requires an undesirable amount of manual effort to update and manage the network of distributed edge devices 12 individually.

Other solutions can include remotely updating the local instructions 18 from a centralized location such as the server computer system 14. However, this solution similarly requires an undesirable amount of manual effort to manage each of the edge devices 12. Moreover, as indicated above, the edge devices 12 can be intermittently connected to the networks 16 such that the instructions from the server computer system 12 may not be received by edge devices 12 in a timely manner.

To overcome the aforementioned drawbacks, embodiments of the disclosed system 10 can include instruction generation algorithms 20 at the server computer system 14. The instruction generation algorithms 20 produce and update global instructions 22 based on edge data collected from all the edge devices 12. In some embodiments, instructions generation algorithms 20 include machine learning algorithms. The global instructions 22 or related data can then be communicated to the edge devices 12 when they are connected to the network 16. As such, the edge devices 12 to can update their local instructions 18 based on the global instructions 22. For example, the server computer system 14 can update the global instructions 22 based on the edge data generated by all the edge devices 12, and push an instance of the global instructions 22, a portion of the global instructions 22 or information related to the global instructions 22, to each edge device 12. The data received by the edge devices 12 can be used to replace or update each of the local instructions 18 based on the updated global instructions 22. This process is described in greater detail below.

When executed, the local instructions 18 can reduce or summarize the vast amounts of minimally processed or unprocessed data (“raw data”) generated by an edge device, which can be subsequently analyzed to perform local actions. For example, in some embodiments, the local instructions 18 may be used to pre-process the raw data based on anticipated data analysis needs. In particular, edge data can be pre-processed with pre-specified data fields to extract data items from raw data. The extracted data items may be stored to facilitate subsequent retrieval and analysis of those data items later at search time. In some embodiments, the remaining of the raw data is not saved and is discarded during pre-processing. Hence, the remaining raw data is not available at search time. However, discarding massive amounts of raw data can be undesirable because valuable insights could be lost.

As storage capacity becomes progressively less expensive, there are fewer incentives to discard raw data and many reasons to retain more of the raw data. Less expensive storage is presently making it feasible to store massive quantities of raw data for later retrieval and analysis. In general, storing raw data and performing analysis operations at search time in accordance with the local instructions 18 can provide greater flexibility because it enables searching all of the raw data instead of searching only a small subset of it. This may enable investigating different aspects of the raw data beyond the predetermined data items. As such, the disclosed embodiments can allow for searching through data that was previously unavailable for analysis.

However, analyzing and searching massive quantities of raw data presents a number of challenges. For example, the edge devices may generate many different types and formats of edge data (e.g., sensor data, system logs, network packet data (e.g., wire data), application program data, error logs, stack traces, system performance data, operating system data, and virtualization data) from thousands of different components, which can collectively be very time-consuming to analyze. In another example, edge devices may generate large amounts of information relating to data access, application performance, operating system performance, and network performance. There can be tens of millions of edge devices that report these types of information.

These challenges can be addressed by using an event-based data intake and query system, such as the SPLUNK® ENTERPRISE system developed by Splunk Inc. of San Francisco, Calif. The SPLUNK® ENTERPRISE system is a leading platform for providing real-time operational intelligence that enables organizations to collect, index, and search raw data collected from various sources such as websites, applications, servers, networks, and edge devices. The SPLUNK® ENTERPRISE system is particularly useful for analyzing data from various data input sources, including sensor data, data in system log files, and network data. Although many of the techniques described herein are explained with reference to a data intake and query system similar to the SPLUNK® ENTERPRISE system, these techniques are also applicable to other types of data systems.

In the SPLUNK® ENTERPRISE system, raw data is collected and stored as structured “events.” In this context, the global or local instructions of the disclosed embodiments can dictate the collecting and storing of the events. For example, FIG. 2 is a block diagram illustrating a series of events including raw edge data according to an embodiment. An event includes a portion of raw data and is associated with a specific point in time. For example, events may be derived from “time series data,” where the time series data comprises a sequence of data points (e.g., performance measurements from a computer system) that are associated with successive points in time. As shown, each event 1 through K can be associated with a timestamp 1 through K that can be derived from the raw data in the respective event, determined through interpolation between temporally proximate events having known timestamps, or determined based on other configurable rules for associating timestamps with events.

In some instances, raw data can have a predefined format, where data items with specific data formats are stored at predefined locations in the data. For example, the raw data may include data stored as fields. In other instances, raw data may not have a predefined format; that is, the data is not at fixed, predefined locations, but the data does have repeatable patterns and is not random. This means that some raw data can comprise various data items of different data types that may be stored at different locations within the raw data. As shown in FIG. 2, each event 1 through K includes a field that is nine characters in length beginning after a semicolon on a first line of the raw edge data, for example. In certain embodiments, these fields can be queried to extract their contents.

In addition to edge devices, examples of components in a computing environment that may generate raw data from which events can be derived include, but are not limited to, web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems. The data generated by such data sources can include, for example and without limitation, server log files, activity log files, configuration files, messages, network packet data, performance measurements, and sensor measurements.

The SPLUNK® ENTERPRISE system uses flexible schema to specify how to extract information from the event data. In some embodiments, the global or local instructions of the disclosed embodiments may be or include the schema. A flexible schema may be developed and redefined, as needed. Note that a flexible schema may be applied to event data “on the fly,” when it is needed (e.g., at search time, index time, and ingestion time). When the schema is not applied to event data until after the raw data is indexed or at search time, it may be referred to as a “late-binding schema.”

During operation, the SPLUNK® ENTERPRISE system starts with raw data (e.g., one or more system logs, streams of network packet data, sensor data, application program data, error logs, stack traces, or system performance data). The system divides this raw data into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame). The segments of raw data are indexed as timestamped events, corresponding to their respective time segments as shown in FIG. 2. The system stores the timestamped events in a data store.

The system then enables running queries against the stored data to, for example, retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields. In some embodiments, the global or local instructions may be or include the queries used to retrieve the events. As used herein throughout, data that is part of an event is referred to as “event data.” In this context, the term “field” refers to a location in the event data containing one or more values for a specific data item. As will be described in more detail below, the global or local instructions can include the fields, which are defined by extraction rules (e.g., regular expressions) that derive one or more values from a portion of raw data in each event that has a particular field specified by an extraction rule. The set of values so produced are semantically related (such as an IP address), even though the raw data in each event may be in different formats (e.g., semantically related values may be in different positions in the events derived from different sources).

As noted above, the SPLUNK® ENTERPRISE system can utilize a late-binding schema on event data while performing queries on the events, in accordance with embodiments of the global or local instructions. One aspect of a late-binding schema is applying “extraction rules” to event data to extract values for specific fields during search time. More specifically, the extraction rules for a field can themselves include one or more instructions that specify how to extract a value for the field from the event data. An extraction rule can generally include any type of instruction for extracting values from data in events. In some cases, an extraction rule comprises a regular expression where a sequence of characters form a search pattern, in which case the rule is referred to as a “regex rule.” The system applies the regex rule to the event data to extract values for associated fields in the event data by searching the event data for the sequence of characters defined in the regex rule.

In the SPLUNK® ENTERPRISE system, a field extractor may be configured in accordance with global or local instructions to automatically generate extraction rules for certain field values in the events when the events are being created, indexed, or stored, or possibly at a later time. Alternatively, a user may manually define extraction rules for fields by using a variety of techniques. In contrast to a conventional schema for a database system, a late-binding schema is not defined at data ingestion time (i.e., on or before the raw data is indexed for storage). Instead, the late-binding schema can be developed on an ongoing basis until the time a query is actually executed (which could be long after the raw data is indexed). As a result, extraction rules for the fields in a query may be provided in the query itself, or they may be located during execution of the query.

Hence, as a user learns more about the raw data in the events, the user can continue to refine the instructions including the late-binding schema by adding new fields, deleting fields, or modifying the field extraction rules for use the next time the schema is applied by the system. Because the SPLUNK® ENTERPRISE system maintains the underlying raw data and can use a late-binding schema for searching the raw data, users are enabled to continue investigating and to learn valuable insights about the raw data. In contrast, conventional processes in database systems discard the raw data that was not indexed as predetermined data items. As a result, users of conventional database systems are limited to only searching predetermined data items.

In some embodiments, a common field name may be used to reference two or more fields containing equivalent data items, even though the fields may be associated with different types of events that possibly have different data formats and different extraction rules. By enabling a common field name to be used to identify equivalent fields from different types of events generated by disparate data sources, the system facilitates use of a “common information model” (CIM) across the disparate data sources.

In some embodiments, the global or local instructions may dictate that the raw data utilized by the disclosed embodiments can be stored as events that are indexed by timestamps but are also associated with predetermined data items. This structure is essentially a modification of conventional database systems that require predetermining data items for subsequent searches. These systems can be modified to retain the remaining raw data for subsequent re-processing for other predetermined data items in accordance with subsequent instructions.

Specifically, the raw data can be divided into segments and indexed by timestamps. The predetermined data items can be associated with the events indexed by timestamps. The events can be searched only for the predetermined data items during search time, but the remaining raw data is available for subsequent reprocessing and re-indexing for searching other data items. In other words, the events can be re-processed later in time to re-index the raw data, to generate events with new predetermined data items in accordance with subsequent instructions.

2.0. Operating Environment

Referring back to FIG. 1, the server computer system 14 and edge devices 12 are examples of computing devices included in the system 10 that are interconnected via one or more networks 16. The networks 16 broadly represent one or more LANs, WANs, cellular networks (e.g., LTE, HSPA, 3G, and other cellular technologies), or networks using any of wired, wireless, terrestrial microwave, or satellite links, and may include the public Internet.

The computing devices of system 10 include any combination of hardware and software configured to implement the various logical components described herein. For example, the computing devices may include one or more memories that store instructions for implementing the various components described herein, one or more hardware processors configured to execute the instructions stored in the one or more memories, and various data repositories in the one or more memories for storing data structures utilized and manipulated by the various components.

The system 10 includes a data intake and query system 24. The data intake and query system 24 can be located exclusively at the server computer system 14, or components of the data intake and query system 24 can be distributed across the server computer system 14 and the edge devices 12 (as represented collectively by elements 24-1, 24-2 and 24-3). In some embodiments, any or each of the server computer system 14 and the edge devices 12 can include its own data intake and query system 24. Examples of configurations and operations of the data intake and query system 24 are described further below.

The edge devices 12 discussed above can represent a broader category of computing devices commonly referred to as “client devices,” which can each be operated under the control of a user. For example, FIG. 1 shows a client device 26 that can communicate with the components of the system 10 (e.g., the edge devices 12 or the server computer system 14) to receive or exchange information over the network 16. For example, a communication between the client device 26 and the components of the system 10 can include sending various requests and receiving data packets.

In one example, the client device 26 or applications 28 running on the client device 26 may initiate communications with applications running on the edge devices 12 or the server computer system 14 to request specific content (e.g., edge data), and the applications at the edge devices 12 or the server computer system 14 may respond with the requested content stored in one or more data packets. Hence, the components of the system 10 can also represent a broader category of computing devices referred to as “host devices,” which can host each other.

2.1. Data Intake and Query System

The data intake and query system 24 can be similar to or include components of the SPLUNK® ENTERPRISE system described above to create events from raw data in accordance with global or local instructions to improve storage and analysis of such data. For example, FIG. 3 is a block diagram illustrating components of the data intake and query system 24 according to an embodiment. The data intake and query system 24 includes one or more forwarders 30 that receive data from a variety of input data sources 32, and one or more indexers 34 that process and store the data in one or more data stores 36. The forwarders 30 and indexers 34 can be included in a single computing system, or may alternatively comprise separate processes executing on multiple computer systems. For example, the forwarders 30 could be located at the edge devices 12, and the indexers could be located at the server computer system 14.

Each data source 32 broadly represents a distinct source of data that can be consumed by the data intake and query system 24. An example of the data source 32 includes the data generated by sensors of the edge devices 12. Other examples of the data sources 32 include, without limitation, data files, directories of files, event logs, and registries, or any data sent over the networks 16.

During operation, the forwarders 30 can identify which indexers 34 should receive data collected from the data sources 32 and forward the data to the appropriate indexers 34. The forwarders 30 can also perform operations on the data before forwarding, including removing extraneous data, detecting timestamps in the data, parsing data, indexing data, routing data based on criteria relating to the data being routed, or performing other data transformations.

In an embodiment, the forwarders 30 may comprise a service accessible to the edge devices 12 or server computer system 14 over the networks 16. For example, one type of forwarder may be located at an edge device 12 and can be capable of consuming vast amounts of real-time data generated by the edge device 12, and then forward the generated data to the server computer system 14. In some embodiments, one type of forwarder 30 may be located at the server computer system 14 and capable of consuming vast amounts of data from a potentially large number of edge devices 12. Accordingly, a forwarder may, for example, comprise a computing device that implements multiple data pipelines or “queues” to handle forwarding of data to the indexers 34.

A forwarder 30 may also perform many of the functions that are performed by an indexer 34. For example, the forwarders 30 may perform keyword extractions on raw data or parse raw data to create events. The forwarders 30 may generate time stamps for events. Additionally or alternatively, the forwarders 30 may perform routing of events to the indexers 34. The data stores 36 may contain events derived from raw data obtained from a variety of data sources 32, which may be generated by the edge devices 12. Lastly, a search head 38 can perform a search query of the data stored in the data stores 36.

2.1.1. Data Ingestion

FIG. 4 is a flow diagram illustrating a process 400 performed by the data intake and query system 24 according to an embodiment. In some embodiments, any or all of the steps of the process 400 may be defined by the global or local instructions of the system 10. The illustrated data flow is provided for illustrative purposes only, and those skilled in the art would understand that one or more of the steps of the process 400 may be removed, or the ordering of the steps may be changed. Furthermore, for the purposes of illustrating a clear example, one or more particular system components are described in the context of performing various operations during each of the data flow stages. For example, a forwarder is described as receiving and processing data during an input phase; an indexer is described as parsing and indexing data during parsing and indexing phases; and a search head is described as performing a search query during a search phase. However, other system arrangements and distributions of the processing steps across system components may be used.

2.1.2. Input

In step 402, a forwarder receives raw data generated by an input source, such as the data sources 32 shown in FIG. 3. For example, the forwarder may receive a stream of raw sensor data generated at an edge device. In one embodiment, the forwarder receives the raw data and segments the data stream into “blocks,” possibly of uniform data size, to facilitate subsequent processing.

In step 404, the forwarder can annotate each segment of raw data with one or more metadata fields. These metadata fields may provide information related to the data segment as a whole and may apply to each event that is subsequently derived from the raw data in the data segment. For example, the metadata fields may include separate fields specifying each of a host, a source, and a source type related to the data segments.

A host field may contain a value identifying a host name or IP address of the edge device that generated the raw data. A source field may contain a value identifying a source of the raw data, such as a pathname of a file or a protocol and port related to received network data. A source type field may contain a value specifying a particular source type label for the data. Additional metadata fields may also be included during the input phase, such as a character encoding of the raw data, if known, and possibly other values that provide information relevant to later processing steps. In an embodiment, a forwarder forwards the annotated data segments to another system component (typically an indexer) for further processing.

The SPLUNK® ENTERPRISE system allows forwarding of data from one SPLUNK® ENTERPRISE instance to another, or even to a third-party system. The SPLUNK® ENTERPRISE system can employ different types of forwarders in a configuration. In an embodiment, a forwarder may contain the essential components needed to forward data. It can gather data from a variety of inputs and forward the data to a SPLUNK® ENTERPRISE server for indexing and searching. It also can tag metadata (e.g., source, source type, and host).

In an embodiment, a forwarder has the capabilities of the aforementioned forwarder, as well as additional capabilities. The forwarder can parse and index data before forwarding the data (e.g., associate a time stamp with a portion of data and create an event) and can route data based on criteria, such as source or type of event. It can also index data locally while forwarding the data to another indexer.

2.1.3. Parsing

At step 406, an indexer receives data segments from the forwarder and parses the data to organize the data into events. In an embodiment, to organize the data into events, an indexer may determine a source type associated with each data segment (e.g., by extracting a source type label from the metadata fields associated with the data block) and refer to a source type configuration corresponding to the identified source type. The source type definition may include one or more properties that indicate to the indexer to automatically determine the boundaries of events within the data.

In general, these properties may include regular expression-based rules or delimiter rules where, for example, event boundaries may be indicated by predefined characters or character strings. These predefined characters may include punctuation marks or other special characters, including, for example, carriage returns, tabs, spaces, line breaks, etc. If a source type for the data is unknown to the indexer, an indexer may infer a source type for the data by examining the structure of the data. Then, it can apply an inferred source type definition to the data to create the events.

In step 408, the indexer determines a timestamp for each event. Similar to the process for creating events, an indexer may again refer to a source type definition associated with the data to locate one or more properties that indicate instructions for determining a timestamp for each event. The properties may, for example, instruct an indexer to extract a time value from a portion of raw data in the event, to interpolate time values based on timestamps associated with temporally proximate events, to create a timestamp based on a time the event data was received or generated, to use the timestamp of a previous event, or to use any other rules for determining timestamps.

In step 410, the indexer associates each event with one or more metadata fields, including a field containing the timestamp (in some embodiments, a timestamp may be included in the metadata fields) determined for the event. These metadata fields may include a number of “default fields” that are associated with all events, and may also include one more custom fields, as defined by a user. Similar to the metadata fields associated with the data segments in step 404, the default metadata fields associated with each event may include a host, source, and source type field, including or in addition to a field storing the timestamp.

In step 412, an indexer may optionally apply one or more transformations to raw data included in the events created in step 406. For example, such transformations can include removing a portion of an event (e.g., a portion used to define event boundaries, extraneous characters from the event, other extraneous text, etc.), masking a portion of an event (e.g., masking a credit card number), removing redundant portions of an event, etc. The transformations applied to event data may, for example, be specified in one or more configuration files and referenced by one or more source type definitions.

2.1.4. Indexing

In steps 414 and 416, the indexer can optionally generate a keyword index to facilitate fast keyword searching for event data. To build a keyword index, in step 414, the indexer identifies a set of keywords in each event. In step 416, the indexer includes the identified keywords in an index, which associates each stored keyword with reference pointers to events containing that keyword (or to locations within events where that keyword is located, other location identifiers, etc.). When an indexer subsequently receives a keyword-based query, the indexer can access the keyword index to quickly identify events containing the keyword.

In some embodiments, the keyword index may include entries for name-value pairs found in events, where a name-value pair can include a pair of keywords connected by a symbol, such as an equals sign or colon. This way, events containing these name-value pairs can be quickly located. In some embodiments, fields can be generated automatically for some or all of the name-value pairs at the time of indexing. For example, if the string “dest=10.0.1.2” is found in an event, a field named “dest” may be created for the event, and assigned a value of “10.0.1.2”.

In step 418, the indexer stores the events with an associated timestamp in a data store. The timestamps enable a user to search for events based on a time range. In one embodiment, the stored events are organized into “buckets,” where each bucket stores events associated with a specific time range based on the timestamps associated with each event. This may not only improve time-based searching, but also allows for events with recent timestamps, which may have a higher likelihood of being accessed, to be stored in a faster memory to facilitate faster retrieval. For example, buckets containing the most recent events can be stored in flash memory rather than on a hard disk.

Referring back to FIG. 3, each indexer 34-1 through 34-3 may be responsible for storing and searching a subset of the events contained in a corresponding data store 36. By distributing events among the indexers 34 and data stores 36, the indexers 34 can analyze events for a query in parallel. For example, using map-reduce techniques, each indexer 34-1 through 34-3 returns partial responses for a subset of events to the search head 38, which combines the results to produce an answer for the query. By storing events in buckets for specific time ranges, the indexers may further optimize data retrieval processes by searching buckets corresponding to time ranges that are relevant to a query.

Moreover, events and buckets can also be replicated across different indexers and data stores to facilitate high availability and disaster recovery, as described in U.S. Pat. No. 9,130,971, titled “SITE-BASED SEARCH AFFINITY,” filed on 30 Apr. 2014, and in U.S. Pat. No. 9,124,612, titled “MULTI-SITE CLUSTERING,” also filed on 30 Apr. 2014, each of which is hereby incorporated by reference in its entirety.

2.2. Query Processing

FIG. 5 is a flow diagram illustrating a process 500 for how a search head and indexers perform a search query according to an embodiment. In some embodiments, any or all of the steps of the process 500 may be defined by the global or local instructions of the system 10. In step 502, a search head receives a search query from another device. In step 504, the search head analyzes the search query to determine what portion(s) of the query can be delegated to indexers and what portions of the query can be executed locally by the search head.

In step 506, the search head distributes the determined portions of the query to the appropriate indexers. In an embodiment, a search head cluster may take the place of an independent search head where each search head in the search head cluster coordinates with peer search heads in the search head cluster to schedule jobs, replicate search results, update configurations, fulfill search requests, etc. In an embodiment, the search head (or each search head) communicates with a master node (also known as a cluster master, not shown in the figures) that provides the search head with a list of indexers to which the search head can distribute the determined portions of the query. The master node maintains a list of active indexers and can also designate which indexers may have responsibility for responding to queries over certain sets of events. A search head may communicate with the master node before the search head distributes queries to indexers to discover the addresses of active indexers.

In step 508, the indexers to which the query was distributed search data stores associated with them for events that are responsive to the query. To determine which events are responsive to the query, the indexer searches for events that match the criteria specified in the query. These criteria can include matching keywords or specific values for certain fields. The searching operations at step 508 may use the late-binding schema to extract values for specified fields from events at the time the query is processed. In an embodiment, one or more rules for extracting field values may be specified as part of a source-type definition. The indexers may then either send the relevant events back to the search head, or use the events to determine a partial result and send the partial result back to the search head.

In step 510, the search head combines the partial results or events received from the indexers to produce a final result for the query. This final result may comprise different types of data, depending on what the query requested. For example, the results can include a listing of matching events returned by the query, or some type of visualization of the data from the returned events. In another example, the final result can include one or more calculated values derived from the matching events.

The results generated by the system 10 can be returned to a client using different techniques. For example, one technique streams results or relevant events back to a client in real-time as they are identified. Another technique waits to report the results to the client until a complete set of results (which may include a set of relevant events or a result based on relevant events) is ready to return to the client. Yet another technique streams interim results or relevant events back to the client in real-time until a complete set of results is ready, and then returns the complete set of results to the client. In another technique, certain results are stored as “search jobs,” and the client may retrieve the results by referring to the search jobs.

The search head can also perform various operations to make the search more efficient. For example, before the search head begins execution of a query, the search head can determine a time range for the query and a set of common keywords that all matching events include. The search head may then use these parameters to query the indexers to obtain a superset of the eventual results. Then, during a filtering stage, the search head can perform field-extraction operations on the superset to produce a reduced set of search results. This speeds up queries that are performed on a periodic basis.

2.3. Field Extraction

Referring back to FIG. 3, in accordance with the global or local instructions of the system 10, the search head 38 allows for searching and visualizing event data extracted from raw data received from homogenous data sources. The search head 38 includes various mechanisms, which may additionally reside in an indexer 34, for processing a query. SPLUNK Processing Language (SPL), used in conjunction with the SPLUNK® ENTERPRISE system, can be utilized to make a query. SPL is a pipelined search language in which a set of inputs is operated on by a first command in a command line, and then a subsequent command following the pipe symbol “I” operates on the results produced by the first command, and so on for additional commands. Other query languages, such as the Structured Query Language (“SQL”), can be used to create a query.

In response to receiving the search query, search head 38 uses extraction rules to extract values for the fields associated with a field or fields in the event data being searched. The search head 38 obtains extraction rules that specify how to extract a value for certain fields from an event. Extraction rules can comprise regex rules that specify how to extract values for the relevant fields. In addition to specifying how to extract field values, the extraction rules may also include instructions for deriving a field value by performing a function on a character string or value retrieved by the extraction rule. For example, a transformation rule may truncate a character string, or convert the character string into a different data format. In some cases, the query itself can specify one or more extraction rules.

The search head 38 can apply the extraction rules to event data that it receives from indexers 34. The indexers 34 may apply the extraction rules to events in an associated data store 36. Extraction rules can be applied to all the events in a data store, or to a subset of the events that have been filtered based on some criteria (e.g., event time stamp values, etc.). Extraction rules can be used to extract one or more values for a field from events by parsing the event data and examining the event data for one or more patterns of characters, numbers, delimiters, etc., that indicate where the field begins and, optionally, ends.

3.0. Computing Architecture

As indicated above, the edge devices 12 can represent a broader category of computing devices referred to as client devices, which can include any computing device capable of interacting with the server computer system 14 over the one or more networks 16. Reference to an edge device in this disclosure is solely to aid in understanding a particular non-limiting embodiment. In addition to edge devices, examples of client devices include, without limitation, smart phones, tablet computers, handheld computers, wearable devices, laptop computers, desktop computers, servers, portable media players, gaming devices, and so forth.

3.1. Client Side Architecture

FIG. 6 is a block diagram illustrating components of an edge device 12 connected to the server computer system 14 according to an embodiment. In the illustrated embodiment, the edge device 12 includes one or more sensors 40, which broadly represent data acquisition circuitry. The sensors 40 can generate raw data that can be used by the edge device 12 to perform one or more local actions. The sensors 40 may generate various types of raw data from electrical or optical input signals, etc. For example, a thermocouple is a sensor that generates voltage output data in response to environmental temperature inputs. In another example, an image sensor can capture and convey information that constitutes an image.

The edge device 12 may include one or more client applications 42 that may be configured to monitor or generate edge data in response to a trigger in the code of the client applications 42 or other triggering events, and to store the edge data on memory 52. In particular, the edge data can be stored in one or more data records on the memory 52.

The client applications 42 may include a SPLUNKD daemon 44, which operates as a background process that performs various operations without direct interaction from another device or a user. For example, the SPLUNKD daemon 44 can run as a background process to collect raw data from the sensors 40.

The edge device 12 may host or execute one or more SPLUNK applications 46, machine learning applications 48, or data enrichment applications 50. These client applications 42 can collectively implement functions including optimized data collection, monitoring, management, etc. The client applications 42 can enable, manage, or control operations of the edge device 12 in accordance with the local instructions 18. For example, the SPLUNK applications 46 may manage the behavior of the sensors 40 that capture images of objects or process the image data in accordance with the local instructions 18.

The machine learning applications 48 may include a machine learning local model (not shown), which can be trained with edge data. Local edge data can further be processed with the local model to make predictions used to determine whether the edge device 12 performs a local action, and the type of location action that will be performed.

The data enrichment applications 50 can enhance the functionality of the edge device 12. For example, a data enrichment application can be applied to annotate outputs of the machine learning applications 48. For example, a data enrichment application can augment detection of objects by an image sensor to perform real-time video analytics such as object detection, facial detection and recognition, multi-object tracking, etc. The client applications 42 may include a “plug-in” or “extension” to another application, such as a web browser plug-in or extension. The client applications 42 may interact with the server computer system 14 or other edge devices over the networks 16.

In an embodiment, the client applications 42 may include monitoring functions that monitor edge data or facilitate generating edge data related to the edge device's operating state, including monitoring local data and collecting other edge device or application-specific information. The monitoring functions may be integrated into a plug-in, an extension, or any other type of add-ons. The monitoring functions may also be a stand-alone process.

In an embodiment, the monitoring functions may be created using a software development kit (SDK) that can incorporate monitoring code into the client applications 42. The SDK or other code for implementing the monitoring functionality may be offered by a provider of the data intake and query system 24. In such cases, the provider of the data intake and query system 24 can implement the custom code so that edge data is sent to the data intake and query system 24 to facilitate analysis of the edge data by a developer of the client applications 42 or other users.

In an embodiment, the custom monitoring code may be incorporated into the code of the client applications 42 to call or otherwise invoke the monitoring functionality. A developer of any of the client applications 42 can add one or more lines of code into a client application to trigger the monitoring functionality as desired. Code that triggers the monitoring functions may be referred to as a monitor trigger. For instance, a monitor trigger may be included at or near the beginning of the executable code of a client application such that the monitoring functionality is initiated or triggered as a client application is launched, or included at other points in the code that correspond to various actions of the client applications 42.

In an embodiment, the monitoring functions may monitor one or more aspects of network traffic sent or received by the client applications 42 over the networks 16. The network traffic can be analyzed to determine a number of network performance statistics. Monitoring network traffic may enable information to be gathered particular to the network performance associated with any of the client applications 42.

Network performance data refers to data that indicates information about the network or network performance. Network performance data may include, for instance, a URL request, a connection type (e.g., HTTP or HTTPS), a connection start time, a connection end time, an HTTP status code, request length, response length, request headers, response headers, connection status (e.g., completion, response time(s), or failure), and the like. Upon obtaining network performance data indicating performance of the networks 16, the network performance data can be sent to the data intake and query system 24 for analysis.

Upon developing the client applications 42 that incorporate the monitoring functionality, the client applications 42 can be distributed to the edge devices 12. The client applications 42 generally can be distributed to the edge devices 12 in any manner, or they can be pre-loaded. In some cases, the client applications 42 may be distributed to the edge device 12 via an application marketplace or other application distribution system. For instance, an application marketplace or other application distribution system might distribute the application to a client device based on a request from the edge device 12 to download the application.

Examples of functionality that enables monitoring performance of a client device are described in U.S. patent application Ser. No. 14/524,748, titled “UTILIZING PACKET HEADERS TO MONITOR NETWORK TRAFFIC IN ASSOCIATION WITH A CLIENT DEVICE,” filed on 27 Oct. 2014, and which is hereby incorporated by reference herein in its entirety.

In an embodiment, the monitoring functionality may monitor and collect performance data related to an aspect of the operational state of client applications 42 or edge device 12. For example, the monitoring functions may collect edge device performance information by monitoring one or more edge device operations, or by making calls to an operating system or one or more other applications executing on the edge device 12 for performance information. Edge device performance information may include, for instance, a current wireless signal strength of the edge device 12, a current connection type and network carrier, current memory performance information, a geographic location of the device, a device orientation, and any other information related to the operational state of the edge device 12.

In an embodiment, the client applications 42 may also monitor and collect other device profile information, including, for example, a type of edge device, a manufacturer and model of the edge device, versions of various software applications installed on the edge device, and so forth.

In the illustrated embodiment, components of the data intake and query system 24 are distributed between the edge device 12 and the server computer system 14. Specifically, the edge device 12 includes the forwarder 30, which can forward data to the indexer 34 of the server computer system 14. In an embodiment, the forwarder 30 can send transformed events in batches to the server computer system 14. As detailed below, the server computer system 14 further includes the data store 36 to store events, as detailed above, which can be searched by the search head 38 to extract data items. Further, the extracted data items can be used by the machine learning algorithms 54 to update/train the global model 22.

Accordingly, the forwarder 30 enables event collection by the server computer system 14. In some embodiments, the edge data can be communicated to the server computer system 14 using Hypertext Transfer Protocol (HTTP) or MQ Telemetry Transport (MQTT) protocols. Specifically, MQTT is an M2M IoT connectivity protocol useful for connections with remote locations where a relatively small code footprint is required or network bandwidth is limited.

3.2. Server Side Architecture

In the illustrated embodiments, the server computer system 14 can send pipelined search language queries, such as SPLUNK Processing Language (SPL) queries, and global instructions 22 or related data received by a configuration manager 54 to configure (or reconfigure) an edge device 12. For example, an SPL query may configure the edge device 12 to monitor certain edge data. The global instructions 22 or related data may be used at the edge device 12 configure (or reconfigure) the local instructions 18. For example, the global instructions 22 or related data can be used to replace or update the local instructions 18 with the global instructions 22. One or more filters 56, transforms 58 or rules 60 may be used to configure the edge device 12 to send summary data, based on its locally acquired data, back to the server computer system 14. The data summary sent from each of the edge devices 12 then can form global training data to train the global model 22 on the server computer system 14. The filters 56, transforms 58 or rules 60 can be included in each edge device 12.

The server computer system 14 can represent a broader category of computing devices referred to as host devices, which can include any number of computers, virtual machine instances, or data centers that can be configured to host or execute one or more instances of host applications (e.g., host applications 62). The server computer system 14 or another host device may be involved, directly or indirectly, in processing requests received from the edge device 12 for a network-based service. For example, a network-based service provider may configure one or more host devices and host applications to collectively implement the network-based application.

The edge device 12 can communicate with the host applications 62 to exchange information. The communication between the edge device 12 and the host applications 62 may be based on HTTP or any other network protocol. Content delivered from the host applications 62 to the edge device 12 may include, for example, HTML documents, media content, etc. The communication between the edge device 12 and host applications 62 may include sending requests and receiving data packets. For example, the client applications 42 may initiate communication with host applications 62 by requesting a specific resource, and the host device may respond with the requested content stored in one or more response packets.

A host device may generate various types of performance data during operation of the host applications 62, including event logs, network data, sensor data, and other types of machine-generated data. The host data or data related to an interaction between the host device and the edge device 12 could be subjected to data intake and query processes.

3.3. Cloud-Based Architecture

The following implementations may incorporate a data intake and query system, such as the one described in U.S. patent application Ser. No. 15/339,912, entitled “METRICS STORE SYSTEM,” filed on Oct. 31, 2016, now published as U.S. Patent Application Publication No. 2018/0089290 A1, which is hereby incorporated by reference in its entirety. In addition, as shown in the figures herein, various embodiments may refer to a data intake and query system 24 that includes one or more of a search head 38, an indexer 34, and a forwarder 30. In other implementations, data intake and query system 24 may have a different architecture, but may carry out indexing and searching in a way that is indistinguishable or functionally equivalent from the perspective of the end user. For example, data intake and query system 24 may be re-architected to run in a stateless, containerized environment. In some of these embodiments, data intake and query system 24 may be run in a computing cloud provided by a third party, or provided by the operator of the data intake and query system 24. This type of cloud-based data intake and query system may have several benefits, including, but not limited to, lossless data ingestion, more robust disaster recovery, and faster or more efficient processing, searching, and indexing. A cloud-based data intake and query system as described in this section may provide separately scalable storage resources and compute resources, or separately scalable search and index resources. Additionally, the cloud-based data intake and query system may allow for applications to be developed on top of the data intake and query system, to extend or enhance functionality, through a gateway layer or one or more Application Programming Interfaces (APIs), which may provide customizable access control or targeted exposure to the workings of data intake and query system 24.

In some embodiments, a cloud-based data intake and query system may include an intake system. Such an intake system can include, but is not limited to an intake buffer, such as Apache Kafka® or Amazon Kinesis®, or an extensible compute layer, such as Apache Spark™ or Apache Flink®. In some embodiments, the search function and the index function may be separated or containerized, so that search functions and index functions may run or scale independently. In some embodiments, data that is indexed may be stored in buckets, which may be stored in a persistent storage once certain bucket requirements have been met, and retrieved as needed for searching. In some embodiments, the search functions and index functions run in stateless containers, which may be coordinated by an orchestration platform. These containerized search and index functions may retrieve data needed to carry out searching and indexing from the buckets or various other services that may also run in containers, or within other components of the orchestration platform. In this manner, loss of a single container, or even multiple containers, does not result in data loss, because the data can be quickly recovered from the various services or components or the buckets in which the data is persisted.

In some embodiments, the cloud-based data intake and query system may implement tenant-based and user-based access control. In some embodiments, the cloud-based data intake and query system may implement an abstraction layer, through a gateway portal, an API, or some combination thereof, to control or limit access to the functionality of the cloud-based data intake and query system.

4.0. Embodiments of System Operations

FIGS. 7 and 8 are block diagrams that illustrate operations of the system 10 implementing components of the disclosed technology in different combinations. Although shown as two separate embodiments, the components illustrated in these figures can be combined in various ways to achieve a desired behavior for the system 10. Moreover, embodiments may omit components or include other components not shown but known to persons skilled in the art.

4.1.1. Instructions for Data Intake and Query Processes

FIG. 7 is a block diagram illustrating an operation of an embodiment of the system 10 configured to iteratively update local instructions for data intake and query processes to improve analytics for the edge devices 12. In the illustrated embodiment, the edge devices 12 can receive local inputs 64 to generate raw data 66 according to their designed functions. As part of their data intake and query processes, the edge devices 12 execute local instructions 18 on the vast amounts of raw data 66. The local instructions 18 can cause the edge devices 12 to create time-indexed events including segments of the raw data 66, or extract data items by applying schema 68 on the events.

For example, the schema 68 may be late-binding to cause the edge devices 12 to extract data fields from raw data of the time-indexed events to obtain the data items (e.g., the data items are extracted after indexing the events). In another example, the local instructions 18 can cause the edge devices 12 to implement the schema 68 to obtain data items by extracting data fields from raw data while the events are being indexed by timestamps (e.g., not after indexing the events). Any combination of the raw data 66 or data derived from the raw data 66 such as the events, the data items, or indicia thereof can constitute results 70 generated by the edge devices 12. For example, the indicia constituting the results 70 may include an aggregate or summary of the events or the data items. The results 70 can be used to perform local actions 72 at the edge devices 12. For example, a local action can include changing an operational parameter of an edge device or changing a setting controlled by the edge device.

In some embodiments, only a small portion of the results 70 (e.g., 10%) is sent by the edge devices 12 to the server computer system 14 over a network. In some embodiments, the portion can be specified prior to commencing an operation by the edge devices 12 to create the time-indexed events. In some embodiments, the portion is determined during the operation (i.e., on the fly).

The server computer system 14 collects the results 70 or portion thereof sent by the edge devices 12 over the network. The results 70 or portion thereof obtained by the server computer system 14 collectively constitutes global results 74. In some embodiments, the server computer system 14 can implement data intake and query processes to create global time-indexed events (“global events”) including segments of the global results 7 4. For example, the server computer system 14 may implement a schema 76 to extract data items from the global events while or after the global events are indexed. As such, the server computer system 14 may produce global data items.

The server computer system 14 includes instruction algorithms 20 that process the global results 74 or related data (e.g., global data items) to generate global instructions 22. Hence, the global instructions 22 are based on edge data generated by the network of distributed edge devices 12.

The server computer system 14 can then send an instance of the global instructions 22 or related data to one or more of the edge devices 12. The instance of the global instructions 22 or the related data can cause the edge device 12 to update its local instructions 18. In particular, the edge device 12 can use the global instructions 22 or related data to replace or modify its local instructions 18, which is used on subsequently generated raw data.

As such, the local instructions 18 of the edge devices 12 can be iteratively updated via the server computer system 14. By locally using at each edge device 12 the local instructions 18 that have been updated from data generated by itself and other edge devices 12, the system 10 can improve the performance of each of the edge devices 12 based on the data acquired by the network of distributed edge devices 12.

4.1.2. Machine Learning

FIG. 8 is a block diagram illustrating an operation of an embodiment of the system to improve analytics for the edge devices 12 similar to FIG. 7, but which can implement machine learning at the edge devices 12 or the server computer system 14. In the illustrated embodiment, the edge devices 12 or the server computer 14 can separately or collectively implement one of more machine learning processes 78. In general, a machine learning process 78-1 through 78-3 each involve an algorithm that can learn from and make predictions, classifications or identifications, etc. on data, rather than following a static set of program instructions.

Such algorithms operate by building a model from data. For example, the machine learning processes 78 can train models used to improve the local instructions 18 or global instructions 22.

Common machine learning algorithms generally involve either supervised or unsupervised learning. In supervised learning, a computer is presented with example inputs and desired outputs, with the goal of learning a rule that maps the inputs to the outputs. Unsupervised learning leaves the learning algorithm to find structure in the input without labeling the inputs or outputs. A learning algorithm can continuously learn from new inputs (e.g., training data) to improve predictions. There are various types and variations of machine learning processes known to persons skilled in the art that can be implemented in the disclosed embodiments and, as such, are not discussed herein for the sake of brevity.

Specifically, the machine learning processes 78-1 and 78-2 of the edge devices 12-1 and 12-2, respectively, can be used to improve the local instructions 18 based on the raw data 66, or the received global instructions 22 (or related data). Likewise, the machine learning processes 78-3 of the server computer system 14 can improve the global instructions 22 based on the global results 7 4 or data derived therefrom. Hence, the global instructions 22 can be generated in accordance with the machine learning process 78-3, and the server computer system 14 can push the machine-learned global instructions 22 (or related data) to the edge devices 12 to further improve their performance.

Moreover, when the edge devices 12 are disconnected from the server computer system 14, the disconnected edge devices 12 can still improve and update their local instructions 18 by learning from the raw data 66 without communicating with the server computer system 14.

4.2. Operation of Edge Device

FIG. 9 is an operation flow diagram illustrating an example of an operation flow 900 of an edge device according to an embodiment. In step 902, the edge device generates raw data based on inputs to the edge device. As part of its data intake and query processes, the edge device can execute local instructions on the vast amounts of raw data. For example, in step 904, the local instructions can cause the edge device to generate events indexed by timestamps. The events can include respective segments of the raw data generated by the edge device.

In step 906, the edge device can implement one or more operations to retrieve data from the events in accordance with the local instructions. For example, in step 908, the edge device can implement a schema to extract data items from the events. The schema may be late-binding to obtain data items from segments of the raw data in the events after the events are indexed. In another example, data items can be extracted from the raw data while the events are being indexed.

In step 910, the local instructions can cause the edge device to obtain results including any combination or portion of the raw data or data derived from the raw data (e.g., the data items). For example, the results may include at least a portion of the data items that have been aggregated to summarize the data items. In step 912, the edge device can execute a local action based on the results. For example, the local action can include changing an operational parameter of the edge device or changing a setting controlled by the edge device.

In step 914, the edge device determines whether it can connect to the server computer system over the network. If so, for example, the edge device may automatically and autonomously (e.g., without human interaction) establish machine-to-machine (M2M) communications with the server computer system to send the results or indicia thereof to the server computer system.

In step 916, if the edge device is communicatively connected to the server computer system, the edge device can send the results or indicia thereof over the network to the server computer system. In some embodiments, the results sent to the server computer system can include only a portion of the results obtained by performing the retrieval operation on the events in accordance with the local instructions.

In step 918, the edge device receives new instructions or related data from the server computer system over the network. The new instructions can be generated by the server computer system based on the results it received in step 916. In some embodiments, the new instructions were derived by the server computer system based on (global) results collected from the network of distributed edge devices, in addition to the results received in step 916 from the edge device.

The new (global) instructions or related data cause the edge device to update its local instructions. In particular, the edge device can use the new (global) instructions or related data to replace or modify its current local instructions. The operation of the edge device then returns to step 906 to perform operations using the new (global) instructions to retrieve new data items from the same events or create new events and extract new data items. As such, the local instructions of the edge device can be iteratively modified via the server computer system to improve edge analytics.

In some embodiments, if the edge device is disconnected from the server computer system, the edge device can take steps to locally update its local instructions. For example, in steps 920 and 922, the edge device can generate new instructions by performing machine learning processes on the raw data, the results data, the new global instructions, etc. The locally modified (and machine-learned) instructions can cause the edge device to perform operations on events to obtain new results in accordance with the locally modified local instructions. Further, the edge device can perform local actions based on the new results.

4.3. Server Computer System Operations

FIG. 10 is an operation flow diagram illustrating an example of an operation flow 1000 of a server computer system according to an embodiment. As discussed above, the server computer system can be intermittently communicatively connected to some edge devices and disconnected from other edge devices, all collectively forming a network of distributed edge devices.

In step 1002, the server computer system can collect global data from the network of distributed edge devices communicatively connected to the server computer system over the network. In some embodiments, the global data (e.g., global results) corresponds to the results generated by each of the edge devices in accordance with local instructions.

As part of its data intake and query processes, in step 1004, the server computer system may generate global events indexed by timestamps. The global events may include segments of the global data collected from the network of distributed edge devices.

In step 1006, the server computer system may implement schema to extract a data field from each of the global events to obtain global data items. For example, the server computer system may implement a late-binding schema that extracts global data items after the global events are indexed. In another example, the server computer may implement a schema that extracts data items while the global results are being indexed as timestamped events.

In steps 1008 and 1010, the server computer system may generate global instructions based on the global events or the global data items. Specifically, in step 1008, the server computer system may implement machine learning processes on the global events or the global data items to obtain the global instructions.

In step 1012, the server computer system sends the global instructions or related data to at least one of the network of distributed edge devices. The global instructions or the related data are configured to cause an edge device to update its local instructions. As such, the network of distributed edge devices can use the global instructions or related data to replace or modify their local instructions.

5.0. Computing System Architecture

FIG. 11 is a block diagram illustrating a high-level example of a hardware architecture of a computing system 80 that can be used to implement any one or more of the functional components described herein (e.g., forwarder, indexer, search head, and data store, server computer system, edge device). In some embodiments, one or multiple instances of the computing system 80 can be used to implement the techniques described herein, where multiple such instances can be coupled to each other via one or more networks.

The illustrated computing system 80 includes one or more processing devices 82, one or more memory devices 84, one or more communication devices 86, one or more input/output (I/O) devices 88, and one or more mass storage devices 90, all coupled to each other through an interconnect 92. The interconnect 92 may be or include one or more conductive traces, buses, point-to-point connections, controllers, adapters, or other conventional connection devices. Each of the processing devices 82 controls, at least in part, the overall operation of the processing of the computing system 80 and can be or include, for example, one or more general-purpose programmable microprocessors, digital signal processors (DSPs), mobile application processors, microcontrollers, application-specific integrated circuits (ASICs), programmable gate arrays (PGAs), or the like, or a combination of such devices.

Each of the memory devices 84 can be or include one or more physical storage devices, which may be in the form of random access memory (RAM), read-only memory (ROM) (which may be erasable and programmable), flash memory, miniature hard disk drive, or other suitable type of storage device, or a combination of such devices. Each mass storage device 90 can be or include one or more hard drives, digital versatile disks (DVDs), flash memories, or the like. Each memory device 84 or mass storage device 90 can store (individually or collectively) data and instructions that configure the processing device(s) 82 to execute operations to implement the techniques described above.

Each communication device 86 may be or include, for example, an Ethernet adapter, cable modem, Wi-Fi adapter, cellular transceiver, baseband processor, Bluetooth or Bluetooth Low Energy (BLE) transceiver, serial communication device, or the like, or a combination thereof. Depending on the specific nature and purpose of the processing devices 82, each I/O device 88 can be or include a device such as a display (which may be a touch screen display), audio speaker, keyboard, mouse or other pointing device, microphone, camera, etc. Note, however, that such I/O devices 88 may be unnecessary if the processing device 82 is embodied solely as a server computer.

In the case of a client device (e.g., edge device), the communication devices(s) 86 can be or include, for example, a cellular telecommunications transceiver (e.g., 3G, LTE/4G, 5G), Wi-Fi transceiver, baseband processor, Bluetooth or BLE transceiver, or the like, or a combination thereof. In the case of a server, the communication device(s) 86 can be or include, for example, any of the aforementioned types of communication devices, a wired Ethernet adapter, cable modem, DSL modem, or the like, or a combination of such devices.

A software program or algorithm, when referred to as “implemented in a computer-readable storage medium,” includes computer-readable instructions stored in a memory device (e.g., memory device(s) 84). A processor (e.g., processing device(s) 82) is “configured to execute a software program” when at least one value associated with the software program is stored in a register that is readable by the processor. In some embodiments, routines executed to implement the disclosed techniques may be implemented as part of OS software (e.g., MICROSOFT WINDOWS® and LINUX®) or a specific software application, algorithm component, program, object, module, or sequence of instructions referred to as “computer programs.”

Computer programs typically comprise one or more instructions set at various times in various memory devices of a computing device, which, when read and executed by at least one processor (e.g., processing device(s) 82), will cause a computing device to execute functions involving the disclosed techniques. In some embodiments, a carrier containing the aforementioned computer program product is provided. The carrier is one of an electronic signal, an optical signal, a radio signal, or a non-transitory computer-readable storage medium (e.g., the memory device(s) 84).

6.0. Intelligent Throttling Embodiment

In some embodiments, it may be advantageous to push as much computation and processing of observed, received or ingested data to edge devices as possible, and away from a remote server computer system, in order to use local compute resources and reduce transmission of data. Performing computation on ingested data at an edge device enables the edge device to intelligently throttle the amount of information transmitted to the remote server computer system 14 (referred to below as “ingested data” for purposes of clarity). As each edge device 12 of a plurality of edge devices communicatively coupled to a server computer system ingests large amounts of data, transmission of the entirety of the ingested data requires vast amounts of resources and is often rather costly. Further, reliable connectivity between an edge device 12 and the server computer system 14 is not always guaranteed.

However, performing processing of the ingested data at the edge device 12 according to one or more predetermined rule sets enables the edge device 12 to determine whether the ingested data is “high-frequency, low-value data” or “high-value data.” The transmission of high-frequency, low-value data to the server computer system 14 wastes valuable resources. Thus, performing processing of ingested data at an edge device 12 enables the system 10 to preserve resources and improve efficiency of the system as a whole by intelligently throttling data transmission. Further, processing of the ingested data enables the edge device 12 to discard the high-frequency, low-value data in some embodiments.

During processing of the ingested data according to a first rule set, the edge device 12 may generate a summary at periodic time intervals and transmit the summary to the server computer system 14, which may further analyze the summary (e.g., in accordance with one or more models taking into account historic data). Additionally, the edge device 12 may determine that a numeric value computed based on the ingested data is nearing a threshold, or will in the future, and such information should be transmitted to the server computer system 14 through the generation of an alert. In some embodiments, a summary may include information pertaining to analyses performed by the client applications 42, ingested data in a compressed format, a representative subset of the data ingested within a given time period, or other metrics or indicia of the ingested data (averages of metrics obtained, maximums, minimums, etc.). Thus, the summary provides the server computer system 14 with information summarizing the ingested data over a given time period such that the server computer system 14 may perform correlations, machine learning modeling or other operations based on the summary without the requirement to transmit the entirety of the ingested data.

In response to either determining a metric included in or a numeric value computed from the summary is likely to exceed a threshold in the future or receiving an alert from an edge device 12, the server computer system 14 may transmit a communication to the edge device 12. The communication may include an instruction to enable a second rule set also stored on the edge device 12, and optionally disable the first rule set, wherein the second rule set includes alternative or modified rules for processing, storing or transmitting the ingested data to the server computer system 14. In one exemplary embodiment, the second rule set includes instructions for processing subsequent data, which may include the transmission of all subsequent data from the edge device 12 to the server computer system 14. The term “subsequent data” may refer to data ingested concurrently or after receiving the communication including the instruction to enable the second rule set.

6.1. Operation of Edge Device

Referring now to FIG. 12, a block diagram illustrating components of an edge device connected to a server computer system similar to FIG. 6, and further including components configured to implement an intelligent throttling embodiment is shown according to one embodiment. In the illustrated embodiment, the system 1200 includes the edge device 12 and the server computer system 14. The edge device 12 includes the components as discussed above with respect to FIG. 6, and in addition, includes a rule set storage 1202 that has stored thereon one or more rule sets 1204 ₁-1204 _(i), wherein (i≥1). The one or more rule sets 1204 ₁-1204 _(i), when executed, instruct the client applications 42 to perform varying levels and/or techniques of processing with each level or technique including varying operations or thresholds utilized during the processing. For example, the first rule set 1204 ₁, when executed, may cause the client applications 42 to generate, and search, time series data by way of indexing, storing, searching, or extracting raw data or data items from the ingested data (e.g., raw data). In some embodiments, the first rule set 1204 ₁, when executed, may cause the client applications 42 to perform a statistical analysis and generate a predicted status of the edge device 12, or a portion thereof, based on extrapolating the results of the statistical analysis. The first rule set 1204 ₁, when executed, may then cause the client applications 42 to determine whether the predicted status exceeds a threshold, e.g., for a particular metric, within a given time period. An alert may be transmitted to the server computer system 14 based on a result of the determination.

The second rule set 1204 ₂, when executed, may cause the client applications 42 to store a copy of all ingested data, or, in other embodiments, may cause the client applications 42 to transmit the ingested data, or a specified portion thereof, to the server computer system 14 for further analysis. In alternative embodiments, the second rule set 1204 ₂, when executed, may cause the client applications 42 to generate, or search, time series data.

In one embodiment, the edge device 12 may include a first rule set 1204 ₁ and second rule set 1204 ₂ stored in the rule set storage 1202 and be configured such that the first rule set 1204 ₁ is enabled and the second rule set 1204 ₂ is disabled via default settings. In such an embodiment, the SPLUNK applications 46 or the SPLUNKD daemon 44 utilize the enabled rule set (or enabled rule sets) while processing the data ingested from the sensors 40 (wherein the ingested data may also be referred to as input).

As discussed above with respect to FIG. 6, the client applications 42 may include a SPLUNKD daemon 44, which operates as a background process that performs various operations without direct interaction from another device or a user. Additionally, the edge device 12 may host or execute one or more SPLUNK applications 46, which may enable, manage, or control operations of the edge device 12 in accordance with the local instructions 18. Further, one or more of the client applications 42 may execute one or more of the rule sets 1204 ₁-1204 _(i). The edge device 12 may be preconfigured with one or more of the rule sets 1204 ₁-1204 _(i) stored in the rule set storage 1202. In some embodiments, one or more of the rule sets 1204 ₁-1204 _(i) may be received from the server computer system 14 via network connectivity or by manual transmission from another electronic device or storage device, not shown.

In one embodiment, execution of the first rule set 1204 ₁ may cause processing of a particular metric that is extracted from ingested data with the processing including performance of a statistical analysis on the metric. In some embodiments, the statistical analysis may be a regression analysis, such as linear or nonlinear regression. Subsequently, based on the statistical analysis, the client applications 42 may extrapolate values of the metric to determine a prediction of the metric extending into the future (i.e., inferring likely values of the metric in the future). The extrapolation may be linear, polynomial, conic or French curve. Further, the client applications 42 may determine whether the extrapolated values are projected to exceed a threshold within a predefined time period. It should be noted that the thresholds are highly configurable. In some embodiments, the thresholds may vary based on edge device, sensor component, deployment scenarios of an edge device or sensor, operating modes of an edge device or sensor, installed configurations of an edge device or sensor, time of day, other metrics computed during a query evaluation, etc. In some embodiments, the individual thresholds may be retrievable from a lookup table or other data store at run time.

In other embodiments, the client applications 42 may determine whether one or more variations in characteristics of observed data relative to expected characteristics indicates a change in the status or the condition of the edge device. For example, in one embodiment, ingested data may be saved for a predefined time period (e.g., two days, one week, etc.) and the client applications 42 may analyze the saved data to determine expected characteristics on a per metric basis (the expected characteristics may also be provided to the edge device or retrieved by the edge device). Characteristics may include any observations pertaining to data values observed over time or at a single instance. Variations in characteristics of observed data relative to expected characteristics may indicate a change in status or condition of an edge device in certain situations, examples of which may include, but not limited or restricted to, the observation of an unexpected value or the observation of a pattern that is unexpected or exceeds a threshold. A pattern may include a reoccurring observation over time (e.g., either a single reoccurrence or a gradual shift in data values). One example of a pattern may be a trend, e.g., a linear change in data values (numeric or categorical). Additionally, variations that indicate a change in status or condition of an edge device may include an unusual (e.g., unexpected or anomalous) sequence of observed data or a shift in the frequency distribution of data values.

Further, in one embodiment, execution of the first rule set 1204 ₁ may cause processing of a metric including the determination as to whether the current metric value fits an expected pattern or trend (e.g., is within the established average range for the metric during the time of day, is within a tolerance level (e.g., percentage) of the average metric value, etc.). In other embodiments, the description of expected characteristics may be provided manually or from the server computer system 14. In response to observing that the data being analyzed are deviating from characteristics relative to expected characteristics (e.g., a current or extrapolated value of a numeric field exceeds a threshold or is predicted to exceed a threshold, a categorical field has an unexpected value, etc.), the client applications 42 may generate and cause the transmission of one or more alerts to the server computer system 14 according to the enabled first rule set 1204 ₁.

As will be discussed below, the server computer system 14 receives the one or more alerts from the edge device 12 and performs one or more analyses thereon. During the analyses, the server computer system 14 determines whether an action or operation needs to be taken based on one or more alerts, the one or more alerts corresponding to the data ingested by the edge device 12. For example, the results of the analyses performed by the server computer system 14 may corroborate the results of the statistical analysis and extrapolation performed by the edge device 12.

In response to the alert or corroborating the results of the statistical analysis and extrapolation performed by the edge device 12, the server computer system 14 may transmit a communication to the edge device 12. The communication, e.g., a “rule set communication” as seen in FIG. 12, may include one or more instructions that when executed by the edge device 12, enable a second rule set 1204 ₂ that was previously disabled. Further, execution of the one or more instructions may prompt the client applications 42 to utilize the second rule set 1204 ₂ when processing ingested data. In some embodiments, the configuration manager 54 may receive, parse and interpret the rule set communications. The configuration manager 54 may then provide the instructions contained therein to the client applications 42. As discussed above, the rule set communication received from the server computer system 14 may include an instruction to disable the first rule set and enable the second rule set 1204 ₂. In other embodiments, the rule set communication may include an instruction to enable the second rule set 1204 ₂ and process ingested data with both the first rule set 1204 ₁ and the second rule set 1204 ₂, serially or in parallel. In one example, when the first rule set 1204 ₁ and the second rule set 1204 ₂ are to be performed serially, the results of execution of the first rule set 1204 ₁ may be processed by executing the second rule set 1204 ₂. In another example, when the first rule set 1204 ₁ and the second rule set 1204 ₂ are to be performed in parallel, execution of one of the first rule set 1204 ₁ or the second rule set 1204 ₂ may be performed on a copy of the ingested data such that execution is performed concurrently (at least partially overlapping in time).

In some embodiments, the second rule set 1204 ₂ may include instructions to pass all ingested data to the server computer system 14 for processing. Additionally, or in the alternative, the second rule set 1204 ₂ may include instructions store a copy of all ingested data. In addition, the second rule set 1204 ₂ may include instructions for performing analyses similar to those discussed above but need not be so limited. In some embodiments, the second rule set 1204 ₂ may include thresholds that differ from those implemented in the first rule set 1204 ₁.

Although FIG. 12 illustrates only a single edge device 12 communicatively coupled to the server computer system 14, the invention is not intended to be so limited. Instead, a plurality of edge devices 12 may be communicatively to the server computer system 14 in a concurrent manner such that communication transmissions between multiple edge devices 12 and the server computer system 14 may occur in parallel, e.g., simultaneously.

6.1.1 Limited or No Connectivity Available Between Server Computer System and Edge Device

It should also be noted that in some embodiments, the connection between the server computer system 14 and the edge device 12 may be limited or completely lacking. In such a scenario, the edge device 12 may still perform processing of ingested data according to the first rule set 1204 ₁ as discussed above. However, when the client applications 42 determine an alert is to be transmitted to the server computer system 14 and no connection is available (or a limited connection precludes transmission), the first rule set 1204 ₁ may include instructions to automatically enable the second rule set 1204 ₂. Alternatively, or in addition, a third rule set, e.g., rule set 1204 ₃, may automatically be enabled that includes instructions to store all ingested data. In some embodiments, the second rule set 1204 ₂ or third rule set 1204 ₃ may be implemented in parallel on a copy of the ingested data.

In another embodiment in which no connection is available (or a limited connection precludes transmission), the edge device 12 may record any query failures and transmit that recording to the server computer system 14, as will be discussed below. The information received by the edge device 12 from the server computer system 14 may enable the edge device to fully evaluate a query (e.g., execute one or more rule sets 1204 ₁-1204 _(i)).

6.2. Operation of Server Computer System

In addition to the server computer system 14 sending pipelined search language queries and global instructions 22 or related data to the edge device 12, the server computer system 14 may transmit communications pertaining to one or more rule sets stored on the edge device 12. In some embodiments, such communications pertaining to the one or more rule sets may be in response to the receipt of an alert or a summary from the edge device 12.

More specifically, upon receipt of either an alert or a summary, the server computer system 14 may perform analyses on the information included therein. For instance, the server computer system 14 may perform analyses on information included in the alert or the summary, wherein the analyses may incorporate historical data (i.e., previously received summaries for the edge device, or similar edge devices, or machine learning models based on previously ingested data) and determine whether data expected to be ingested within a predetermined time period exceeds a threshold. Based on the result of the analyses, the server computer system 14 may transmit a communication to the edge device 12 that includes the instruction to enable the second rule set.

However, in other embodiments, e.g., when an alert is received, the server computer system 14 may automatically transmit a communication to the edge device 14 including an instruction to enable a second rule set, which may prompt the edge device 14 to transmit all ingested data to the server computer system 14 for additional analyses. It should be noted that in some embodiments, the communication transmitted to the edge device 12 may include an updated rule set (or a partial rule set that includes one or more updated rules).

In some embodiments, the server computer system 14 may perform an analysis of information included in a summary or an alert in combination with historical data or contextual data. For instance, in some embodiments, the server computer system 14 may utilize a machine learning model (also referred to as a “model”) that takes one or more metrics included in the summary or alert as input to generate a prediction as to whether the edge device 12 will satisfy a particular condition in the future (e.g., input to be received is predicted to exceed a threshold, such as liquid overflowing a tank, the temperature of a device will continue to increase too rapidly or exceed a specified threshold, etc.). In some examples, a model may be generated for each type of sensor providing input to any edge device 12 communicatively coupled to the computer server system 14. Additionally, a model may be generated using historical data generated by a sensor or multiple sensors (e.g., within a geographic in some embodiments).

In addition, or in the alternative, the server computer system 14 may apply a set of rules (e.g., a runbook, or at times referred to as a playbook) to the information included in the summary or alert, which may include determining whether input from multiple sensors each exceed predetermined thresholds or input from a sensor is changing at a pace that exceeds a predetermined threshold. Furthermore, the server computer system 14 may utilize contextual data in the analyses of the information within the summary or alert. As will be discussed in the examples below, the server computer system 14 may utilize contextual data in its analyses. Examples of contextual data include, but are not limited or restricted to, temperature, weather data, power outages/brown outs, traffic data, input from other edge devices or sensors, a time of day, week or year, etc.

It should be noted that in some embodiments, the client applications 42 on the edge device 12 may incorporate contextual data while processing and analyzing ingested data. In some embodiments, the use of contextual data by the client applications 42 comprises a lightweight utilization as compared to the use by the server computer system 14 (i.e., fewer rules or computations involving contextual data). The use of contextual data by the client applications 42 of the edge device 12 may include correlation of ingested data among multiple sensors (e.g., a thermocouple and a thermostat) or among multiple edge devices or correlation of ingested data and notifications from the computer server system 14, such as regarding to weather or power outages, brown-outs, etc.

6.3. Exemplary Embodiments of Intelligent Throttling Operations

In many situations, pushing processing to the edge device 12 to limit, e.g., “throttle,” the amount of data that is transmitted to the server computer system 14 is highly advantageous. For instance, edge devices 12 may operate in locations remote from the server computer system 14 such that connectivity issues complicate the transmission of large amounts of data. Additionally, as edge devices 12 become extremely ubiquitous and the amount of data obtained by sensors coupled to the edge devices continues to increase exponentially, the resources required to transmit that data to the server computer system 14 and process that data at a centralized location also increase exponentially; thus, increasing costs. Instead, by pushing a subset of the processing to the edge device 12 and using local resources to determine a health status of the edge device 12 or a predicted health status for example, the system 10 may intelligently throttle the amount of data transmitted to and processed by the server computer system 14 by sending summaries or alerts as discussed above as opposed to the ingested data in its entirety.

6.3.1. Cell Tower Status Indication

Referring now to FIG. 13A, an exemplary interactive user interface displaying data conveying states of a plurality of edge devices within a geographic region is shown in accordance with some embodiments. Specifically, FIG. 13A includes an interactive user interface (UI) 1300 that displays data pertaining to metrics of a plurality of cell towers. Illustrated in the interactive UI 1300 is a home screen 1302 that includes a plurality of display screens 1310, 1318 and 1326. Additionally, a search bar 1304 is shown providing a user an input method for searching for a desired geographic region, e.g., a city, in order to render a visual indication of cell tower metrics within or near the desired city. The rendered visual indication may display live, current data (e.g., in some embodiments with a time lag due to time required for transmitting and processing data). Example metrics include, but are not limited or restricted to, call quality, dropped calls, and anomalies detected and weather (predicted or current). The computation resulting in the data illustrated in FIGS. 13A-13B may be initiated by activating the “Render” button 1306. In the embodiment of FIG. 13A, the display screen 1310 includes a listing of a leading cause for the metrics, which in the illustrated embodiment, is listed as thunderstorms. The “Reset” button 1308 allows a user to clear the display screens and any entered search criteria as well as reset any visual changes made via user input to a display screen, e.g., the display screen 1318 illustrating a map view, to default settings. In alternative embodiments, the UI 1300 may additionally include a configuration to run a simulation of cell metrics based on past metrics or future, predicted metrics (e.g., extrapolated data and weather forecasts for example).

The display screen 1310 provides a visual display of metrics including call quality 1312, dropped calls 1314, anomalies detected 1315, and a leading cause of the metrics 1316. The display screen 1318 illustrates a map 1320 of a desired city, e.g., Vancouver, and icons 13241-1324 _(j) (wherein j=4 in this embodiment). In particular, the metrics displayed in the interactive UI 1300 may pertain to the cell towers located within a specified region 1322.

The display screen 1326 illustrates a graphical representation 1328 of the metrics of the cell towers within the geographic region 1322 over time. The data 1330 provides an indication as to the expected or modeled metrics of those cell towers (e.g., dotted region) and the actual metrics of the cell towers (e.g., solid or dashed lines). In some embodiments, the modeled metrics may take into account effects of the weather (e.g., contextual data). In other embodiments, the weather may not include the weather into the modeling (i.e., the expected metrics) but instead determine that the likely root cause of the actual metrics being anomalous is the presence of thunderstorms in the area. Furthermore, the graphic representation 1328 may include modeling of metrics in the future (e.g., hours or days in the future) thereby providing the user with an idea of how the expected weather will affect the metrics of the cell towers within the specified region 1322.

Referring now to FIG. 13B, a second exemplary interactive user interface displaying data conveying states of a plurality of edge devices within a geographic region is shown in accordance with some embodiments. Specifically, FIG. 13B includes an interactive UI 1332 that displays data pertaining to metrics of the plurality of cell towers as illustrated in FIG. 13A. Illustrated in the interactive UI 1332 is the home screen 1302 that includes a plurality of display screens 1310, 1336 and 1340. The display screen 1336 includes a graphical representation of icons that indicate a current or projected status of a plurality of cell towers. For example, a first icon (e.g., a white icon) may indicate a cell tower's status is “warning” while a second icon (e.g., a shaded icon) may indicate a cell tower's status is “critical.” It should be understood that numerous statuses other than “warning” and “critical” are within the scope of the invention as are various other visual indicators, including, for example, “healthy.”

In some embodiments, user input corresponding to hovering over (e.g., with a mouse) of an icon or a prolonged touch input to an icon via a screen of an applicable electronic device may provide additional information about the corresponding cell tower. For example, hovering over an icon may cause a display of a cell tower identifier (ID) and metrics for the cell tower (e.g., number of dropped calls, anomaly (signal interference), and a potential root cause of the metric values). Further, selecting the icon (e.g., clicking on the icon) may cause a display of a cell tower detail screen, not shown.

In some embodiments, the display screen 1340 may be included and illustrate a listing of potential root causes 1342 (e.g., thunderstorms), 1344 (e.g., malfunctioning electronics of an edge device/sensor) and 1346 (e.g., physical damage to an edge device/sensor). A corresponding confidence score may also be provided along with the listing of each potential root cause. The confidence score may be determined by a weighted analysis of the metrics (wherein each metric corresponds to a predetermined weight).

6.3.2. Security Monitoring Embodiment

In addition to the discussion above with respect to FIGS. 13A-13B detailing one embodiment of how pushing processing to an edge device (“intelligent throttling”) may be implemented to improve IT Operations Analytics (ITOA), intelligent throttling may also be implemented to improve edge device security monitoring. As one example, a software agent (e.g., logic) may be stored and operate on an endpoint (e.g., such as the edge device 12). The endpoint may be communicatively coupled to a computer server system, such as the computer server system 14. The agent may be configured with security rules that monitor networking traffic or processing of the endpoint device. For instance, the agent may perform a static analysis on received data such as network traffic (e.g., HTTP traffic, email messages, etc.) received via a SPLUNK HTTP Event Collector (HEC). The static analysis may include comparisons of the received network traffic with white lists or black lists that detail non-malicious and malicious objects, respectively. The term “object” when used in relation to the security monitoring embodiment may generally refer to a collection of data, whether in transit (e.g., over a network) or at rest (e.g., stored), often having a logical structure or organization that enables it to be categorized or typed for purposes of analysis. The static analysis may also include a rules-based analysis.

Based on the analysis performed by the agent at the endpoint device, the agent may detect malware or an infection. The term “malware” may be understood to generally refer to code or activity that initiates a malicious attack or operations associated with anomalous or unwanted behavior. For example, the agent may detect a URL link in an email that appears on a blacklist (e.g., a known malicious URL). Alternatively, the agent may detect a file that was received in an email from an email address appearing on a blacklist. It should be understood that malware detection is not limited to these examples and the disclosure is not intended to be so limited.

Upon detecting the infection or malware, the agent may transmit a summary or alert to the server computer system 14, which may process a runbook (e.g., at least a composition of a set of rules) that causes transmission of a series of updated analyses or remediation rules to the agent. In response to receiving the series of updated analyses or remediation rules, the agent executes an attempt to halt the malware attack or spread thereof within the endpoint or to other endpoints. In some instances, the received data may be time series data. In other instances, the received data need not be time series data. Further, in some instances, the computer server system 14 may implement machine learning techniques in detecting malicious behaviors and in generating updated analyses or remediation rules.

Any or all of the features and functions described above can be combined with each other, except to the extent it may be otherwise stated above or to the extent that any such embodiments may be incompatible by virtue of their function or structure, as will be apparent to persons of ordinary skill in the art. Unless contrary to physical possibility, it is envisioned that (i) the methods/steps described herein may be performed in any sequence or in any combination, and (ii) the components of respective embodiments may be combined in any manner.

7.0. Data Enrichment Embodiment

In some embodiments, it may be advantageous to push as much computation and processing of observed, received or ingested data to edge devices as possible, and away from a remote server computer system, in order to use local compute resources, reduce transmission of data and increase the privacy of ingested and/or computed data as well as the security of system. For example, by reducing the amount of data transmitted between edge devices and the remote server computer, the impact or severity of a data breach and/or a data leak may be mitigated. The initial computation and processing of ingested data at edge devices may throttle the amount of information that is transmitted to the server computer system, with the initial computation and processing including the evaluation of queries using the ingested data (referred to as a data stream). Depending on the query and data stream, a query may be fully evaluated based solely on the data stream, or using the data stream history (“historical data”) and/or any additional, contextual data that is available to the edge device (e.g., stored thereon). However, due to the limited storage capacity of many edge devices, a server computer system may only provide each edge device with a limited set of queries, which are evaluated utilizing received data streams and limited contextual information required for the evaluation of each query.

As a result of the limited information provided to each edge device, as an edge device receives a data stream that includes unexpected information, the evaluation of a query utilizing the data stream may require additional contextual information not stored on the edge device. In such instances, the evaluation of the query may fail at this point due to the absence of the required contextual information. In some embodiments, the edge device may be able to immediately transmit a request to the server computer system for such additional contextual information. However, the network connection between the edge device and the server computer system may be poor, thus preventing frequent and reliable transmission. Additionally, the server computer system may be coupled to hundreds or thousands of edge devices and, as a result, would receive hundreds or thousands of requests within a short time period, rendering the server computer system useless for any tasks other than retrieval of contextual information.

Therefore, various embodiments of a system and method are disclosed that include partial evaluation of a query and the recording of identifiers of contextual information, the identifiers corresponding to information that is required by the query but is not available to the edge device, thus causing the query evaluation to fail. In some embodiments, the identifiers represent keys used in database queries. A key may be a data value (categorical or numeric) that identifies an entity, a subject, a condition and/or a behavior. The key may be utilized in the generation of queries for contextual data relevant to an edge device, the system or a particular component. As one illustrative example, with respect to relational databases, the key may be one of a primary key, a foreign key, a candidate key or one part of a multi-part key.

The system and method also include the transmission of the missing identifiers to the server computer system at periodic intervals or in response to other triggering events (e.g. when the count of missing identifiers exceeds a configurable threshold) so that the server computer system may perform a batch query for the contextual information corresponding to the identifiers. The relevant contextual information is then transmitted to each edge device in order to enable each edge device to further evaluate queries stored thereon.

7.1. Methodologies

Referring to FIG. 14, an operation flow diagram illustrating an example of determining, requesting and receiving enrichment data required by an edge device is shown according to an embodiment. Each block illustrated in FIG. 14 represents an operation performed in the method 1400 of determining, requesting and receiving enrichment data by an edge device. Herein, the method 1400 starts when the edge device receives a configuration file or a query from a server computer system (also referred to as “core”) (block 1402). In one embodiment, the received configuration file may include a plurality of queries to be evaluated by the edge device on a data stream also received by the edge device. In some embodiments, each query may be part of, or represent, a rule set, e.g., the rule sets 1204 ₁-1204 _(i) of FIG. 12. Additionally, a query may represent a search function, which may be written in the Splunk Processing Language (SPL).

In one embodiment, as discussed above with respect to each rule set 1204 ₁-1204 _(i), when executed, a query may instruct the client applications to perform varying levels of processing with each level including varying operations or thresholds utilized during the processing. For example, the first rule set 1204 ₁, when executed, may cause client applications to generate, and search, time series data by way of indexing, storing, searching, or extracting raw data or data items from the ingested data (e.g., raw data). In other embodiments, a query evaluation logic may, upon execution, evaluate a search query by processing a received data stream, i.e., ingested data.

Subsequently, the edge device receives a data stream from one or more components that may include sensors or other electronic devices (block 1404). The data stream may be received via sensors that are part of or coupled to the edge device. In response to receipt of the data stream, the edge device attempts to evaluate a query on the data stream, and optionally, the data stream history (“historic data”) and enrichment data, if available (block 1406). The edge device comes to a decision point in determining whether the query can be fully evaluated based on the data stream, the data stream history and enrichment data, if available (block 1408).

When the edge device is able to fully evaluate the query (yes at block 1408), the edge device determines whether a result of the query evaluation exceeds, or is nearing, one or more predetermined thresholds (block 1410). In some embodiments, the evaluation of a query may cause logic of the edge device to perform a statistical analysis and generate a predicted status of the edge device, or a portion thereof, based on extrapolating the results of the statistical analysis. The logic of the edge device, when executed, may then determine whether the predicted status exceeds a threshold, e.g., for a particular metric, within a given time period, or is nearing the threshold. When the edge device determines that a result of the query evaluation exceeds one or more thresholds, or is nearing a threshold, the edge device may generate and transmit a signal, e.g., an alert, to the server computer system (block 1412). As a result of transmitting the signal, the edge device may receive a new query from the server computer system, as discussed above with respect to FIG. 12. However, when the edge device determines that a result of the query evaluation does not exceed one or more thresholds, and is not nearing a threshold, logic of the edge device comes to a decision point (block 1416) and determines whether to evaluate the query utilizing new data (block 1420) or evaluate a new query (block 1418) When the logic determines to evaluate the same query utilizing new data, the method returns to block 1404 to receive the data stream.

When the edge device is unable to fully evaluate the query, which may be referred to as a failure (no at block 1408), the edge device performs a partial evaluation of the query (block 1422). During partial evaluation, evaluation of the query will fail such that only a portion of the query is evaluated. Often, the query evaluation fails due to (i) an absence of data stored on the edge device that is required by the query, and (ii) the inability of the edge device to immediately request such data from the server computer system (i.e., due to a lack of a network connection). In one embodiment, logic of the edge device records identifiers of the absent data that caused the failure (block 1424). In other embodiments, logic of the edge device may store the entire request that failed (for example, a portion of the query).

The absent data may be data that provides additional information to the edge device about the data stream being processed. Hereinafter, information required to perform a query evaluation that is not present in the query, the data stream itself or the data stream history is referred to as “enrichment data.” The enrichment data may provide contextual information and various definitions used in parsing the data stream and converting extracted data into an alternative format. As one illustrative example of enrichment data, an edge device may receive a data stream from a thermostat attached to a component such as a circuit board and a query may cause the extraction of temperature readings from the data stream and the conversion of the temperature readings into a color indicating a state of the component (e.g., red, yellow, green). Given the limited storage capacity on an edge device, the edge device may only store data utilized to convert the extracted temperature readings for a limited range of temperatures (e.g., 70-150° F.). When an extracted temperature reading is outside of that range, the result is a query evaluation failure as the enrichment data is absent from the edge device. Further, the edge device may be unable to immediately query the server computer system for such information. In this illustrative embodiment, the extracted temperature reading may serve as the identifier. Alternatively, a combination of the extracted temperature and the portion of the query requiring the conversion may be used as the identifier.

After recording the identifiers, e.g., in a list or table, logic of the edge device determines whether a trigger to transmit the list of identifiers to the server computer system has been satisfied (block 1426). Examples of triggering events include, but are not limited or restricted to, the expiration of a predefined time period (e.g., 10 seconds, 1 minute, 5 minutes, etc.), exceeding of a threshold of a number of identifiers in the list of identifiers, exceeding of a threshold of a number of query failures (i.e., performing partial evaluation), etc. In yet other embodiments, a triggering event may be the receipt of a request/instruction from the server computer system for a list of identifiers. When the trigger has been satisfied, the logic of the edge device transmits the identifier or identifiers to the server computer system (block 1434). In one embodiment, the list of identifiers may be transmitted as a batch request for the information corresponding to the list of identifiers. In other embodiments, the list of identifiers or a listing of each portion of the queries causing a failure may be transmitted. In some embodiments, the list of identifiers is transmitted to the server computer system in an out-of-band communication with any data from the data stream being transmitted via an in-band communication. As a result of transmitting the list of identifiers to the server computer system, the edge device may receive the enrichment data that corresponds to the list of identifiers (block 1436) from the server computer system, at which time the method 1400 returns to block 1404 to receive the data stream. As will be discussed below, the list of identifiers is utilized by the server computer system to query one or more data stores for the enrichment data corresponding to each identifier and transmit the enrichment data to each requesting edge device. However, when a trigger has not been satisfied, logic of the edge device comes to a decision point (block 1416) and determines whether to evaluate the query utilizing new data (block 1420) or evaluate a new query (block 1418).

Referring now to FIG. 15, an operation flow diagram illustrating an example of retrieving requested enrichment data by a federated enrichment system of a server computer system and transmitting the retrieved enrichment data to one or more edge devices is shown according to an embodiment. Each block illustrated in FIG. 15 represents an operation performed in the method 1500 of retrieving requested enrichment data by a server computer system and transmitting the retrieved enrichment data to one or more edge devices. Herein, the method 1500 starts when the server computer system receives one or more lists of identifiers (block 1502). Following the receipt of the one or more lists of identifiers, the server computer system generates a batch query from the one or more lists (block 1504). In some embodiments, the server computer system may be coupled to hundreds or thousands of edge devices and, as a result, receive hundreds or thousands of lists of identifiers within a short time period. To efficiently process the high volume of lists of identifiers (e.g., to retrieve the corresponding enrichment data), logic of the federated enrichment system of the server computer system generates a batch query including each identifier within the lists of identifiers by merging multiple lists of identifiers and removing duplicate identifiers. During the batch query generation, the federated enrichment system also maintains a listing (e.g., a table) of each edge device and the list of identifiers received therefrom in order to transmit the relevant enrichment data to each edge device.

Once the batch query has been generated, the server computer system executes the batch query to retrieve the enrichment data requested by the edge devices from which the lists of identifiers were received (block 1506). As shown in FIG. 19, the server computer system may retrieve data from a plurality of data stores while processing the batch query. Subsequently, the server computer system generates response packets that include at least a portion of the retrieved enrichment data (block 1508). The term “response packet” broadly refers to a series of bits or bytes having a prescribed format. Each response packet is generated for one or more edge devices depending on the lists of identifiers transmitted by each edge device. In order to efficiently transmit the enrichment data, the server computer system may generate a single packet with enrichment data corresponding to a plurality of keys. In other embodiments, each response packet may include enrichment data that corresponds to a single key.

Finally, following the generation of the response packets, the server computer system transmits response packets to the edge devices from which the lists of identifiers were received (block 1510). In some embodiments, the server computer system transmits a single response packet to each edge device according to the list of identifiers transmitted by the edge device. In other embodiments, a response packet may be multicast to a plurality of edge devices, and in some embodiments, a response packet may be broadcast to all edge devices.

In addition to the method 1500 in which the server computer system retrieves enrichment data in response to the receipt of a list of identifiers, in some embodiments, the server computer system may perform operations configured to predict enrichment data that is likely to be needed by the edge device in the future. This predictive enrichment data is then transmitted to the edge device and the process may be referred to as “predictive preloading.” Referring now to FIG. 16, an operation flow diagram illustrating an example of process of predictive preloading performed by a server computer system is shown according to an embodiment. Each block illustrated in FIG. 16 represents an operation performed in the method 1600 of executing a predictive preloading process by a server computer system. Herein, the method 1600 starts with the server computer system determining a hardware/software configuration of an edge device, or other configuration information (block 1602). The term “configuration information” may detail an edge device's system configuration and provide detail as to components monitored by the edge device, i.e., from what components a data stream is received. Configuration information may define the software, firmware or hardware of the edge device or associated components.

Following the determination of the configuration information, the server computer system performs predictive analytics based on the configuration information to determine predictive enrichment data to transmit to the edge device (block 1604). In one embodiment, the predictive analytics may include a rules-based analysis of the configuration information and the selection of a predetermined set of enrichment data to be transmitted to the edge device (e.g., based on the type of edge device, based on software/firmware loaded on the edge device, based on components monitored by the edge device, based on hardware of the edge device, etc.). In another embodiment, the predictive analytics may include the utilization of an artificial neural network that is configured to learn and predict the enrichment data that is likely to be needed by the edge device based on its configuration information. The artificial neural network may be trained on a set of historical data (historical response packets) and retrained at predetermined time intervals or after the number of lists of identifiers received from edge devices exceeds a predetermined threshold.

Finally, the server computer system transmits the predictive enrichment data to the edge device (block 1606). In some embodiments, especially when the edge device is just being configured or coupled to the server computer system, the predictive enrichment data may be transmitted with a configuration file that includes one or more queries. In other embodiments, the predictive enrichment data may be transmitted on its own or may be included in a transmission with a response packet (i.e., the predictive enrichment data will be the enrichment data the server computer system anticipates the edge device is likely to need in the future based on at least the edge device configuration information and the most recently received list of identifiers). Upon receiving the enrichment data, the edge device may perform the process set forth in FIG. 14.

7.2. Architecture

Referring to FIG. 17, a block diagram illustrating components of an edge device connected to a server computer system similar to FIGS. 6 and 12, and further including components configured to implement a query evaluation failure recording and enrichment data request/transmission operations is shown according to an embodiment. In the illustrated embodiment, the system 1700 includes the edge device 12 and the server computer system 14. The edge device 12 includes at least the components as discussed above with respect to FIG. 6 and optionally those discussed with respect to FIG. 12. In addition, the edge device illustrated in the embodiment of system 1700 includes a nodal enrichment system 1714 that includes a query evaluation logic 1716, a query recording logic 1718 and, potentially, a list of identifiers 1720, that may be stored in persistent storage (not shown).

The nodal enrichment system 1714, when executed by the processors 13, attempts to evaluate a query on a received data stream (wherein the queries, in one embodiment, may be rules and stored in the rule set storage 1202). In the instance in which the query may be fully evaluated, either the query evaluation logic 1716 or the client applications 42 may determine whether results of the query evaluation exceed one or more thresholds. When one or more thresholds are exceeded, a signal may be transmitted to the server computer system 14. When one or more thresholds is not exceeded, a new query may be evaluated or the same query may be evaluated utilizing new data. However, in the instance in which the query may not be fully evaluated, e.g., evaluation of the query requires information in addition to merely that included in the data stream, the data stream history and any enrichment data available, the query evaluation will fail causing the query recording logic 1718 to identify and record identifiers as discussed above in the list of identifiers 1720. At a later point in time, a list of identifiers 1720 recorded by the query recording logic 1718 is transmitted to the server computer system 14. In response, the edge device 12 receives enrichment data corresponding to the list of identifiers 1720. In some embodiments, the nodal enrichment system 1714 may record successful query evaluations, or data that identifies a successful query evaluation, which may include a data stream identifier, the query itself, enrichment data that was required available to the edge device at the time of the query evaluation, etc. The successful query recordation may be stored in a data store (not shown) and transmitted to the sever computer system 14, periodically, upon a triggering event and/or upon receipt of a request from the sever computer system 14. The recordation of successful queries (or associated data) may be used by the server computer system 14 to build models for predictive preloading, discussed above. The recordation of successful queries (or associated data) may be cached by the edge device 12 to enable prefetching of data for future query evaluations. In such embodiments, the query recording logic 1718 may also perform operations that cause the successful queries to be recorded.

In one embodiment, the server computer system 14 includes a federated enrichment system 1702 that includes a batch generation logic 1704, a query logic 1706, a response packet generation logic 1708, a response packet response logic 1710 and a predictive preloading logic 1712. The federated enrichment system 1702, when executed by the processors 15, may receive transmissions from a plurality of edge devices including the edge device 12, wherein the transmissions each include a list of identifiers. The batch generation logic 1704 may generate a batch query from one or more lists of identifiers, which is then executed by the query logic 1706. The response packet generation logic 1708 generates responses packets to be transmitted to the edge devices, wherein the response packets include at least enrichment data corresponding to the list of identifiers received from each edge device. Subsequently, the response packet transmission logic 1710 transmits a response packet to an edge device with the response packet including enrichment data specific to each edge device. The predictive preloading logic 1712 may perform operations to predict what enrichment data an edge device is likely to need to fully evaluate queries in the future using analytics that may be rules-based or based on artificial intelligence (machine learning and artificial neural networks).

FIG. 18 is an exemplary embodiment of a logical representation of a federated enrichment system of a server computer system and query evaluation and failure recording logic of an edge device according to an embodiment.

The federated enrichment system 1702, in an embodiment, may be stored on a non-transitory computer-readable storage medium of server computer system 14 that includes a housing, which may be made entirely or partially of a hardened material (e.g., hardened plastic, metal, glass, composite or any combination thereof) that protects the circuitry within the housing, namely one or more processors 15 that are coupled to a communication interface 17. The communication interface 17, in combination with a communication logic 25, enables communications with external network devices or other network appliances. According to one embodiment of the disclosure, the communication interface 17 may be implemented as a physical interface including one or more ports for wired connectors. Additionally, or in the alternative, the communication interface 17 may be implemented with one or more radio units for supporting wireless communications with other electronic devices. The communication interface logic 25 may include logic for performing operations of receiving and transmitting one or more objects via the communication interface 17 to enable communication between the server computer system 14 and network devices via a network (e.g., the internet) or cloud computing services, not shown.

The processor(s) 15 is further coupled to a persistent storage 23. According to one embodiment of the disclosure, the persistent storage 23 may include the following logic as software modules: the batch generation logic 1704, the query logic 1706, the response packet generation logic 1708, the response packet transmission logic 1710, predictive preloading logic 1712 and a data store 31. The operations of these software modules, upon execution by the processor(s) 15, are described above. Of course, it is contemplated that some or all of this logic may be implemented as hardware, and if so, such logic could be implemented separately from each other.

The nodal enrichment system 1714, in an embodiment, may be stored on a non-transitory computer-readable storage medium of edge device 12 that includes a housing, which may be made entirely or partially of a hardened material (e.g., hardened plastic, metal, glass, composite or any combination thereof) that protects the circuitry within the housing, namely one or more processors 13 that are coupled to a communication interface 19. The communication interface 19, in combination with a communication logic 27, enables communications with external network devices or other network appliances. According to one embodiment of the disclosure, the communication interface 19 may be implemented as a physical interface including one or more ports for wired connectors. Additionally, or in the alternative, the communication interface 19 may be implemented with one or more radio units for supporting wireless communications with other electronic devices. The communication interface logic 27 may include logic for performing operations of receiving and transmitting one or more objects via the communication interface 19 to enable communication between the edge device 14 and network devices via a network (e.g., the internet) or cloud computing services, not shown.

The processor(s) 13 is further coupled to a persistent storage 21. According to one embodiment of the disclosure, the persistent storage 21 may include the following logic as software modules: the query evaluation logic 1716, the query recording logic 1718 and a data store 29 configured to store a list of identifiers 1720. The operations of these software modules, upon execution by the processor(s) 13, are described above. Of course, it is contemplated that some or all of this logic may be implemented as hardware, and if so, such logic could be implemented separately from each other.

7.3. Data Flow

Referring to FIG. 19, a data flow diagram illustrating an example of determining, requesting and receiving enrichment data required by an edge device and retrieval and transmission of the enrichment data by a server computer system is shown according to an embodiment. The data flow 1900 illustrates a plurality of edge devices, edge devices 12 ₁-12 _(i), communicatively coupled to a server computer system 14. Each edge device 12 ₁-12 _(i) receives a data stream and attempts to evaluate query logic against the data stream (e.g., a query evaluation process 1902 ₁-1902 _(i)). As discussed above, when the query evaluation fails and a partial evaluation is performed, the edge devices 12 ₁-12 _(i) store identifiers corresponding to information that caused the failure in a list of identifiers 1904 ₁-1904 _(i). In response to a triggering event, the edge devices 12 ₁-12 _(i) transmit the list of keys 1904 ₁-1904 _(j) to the server computer system 14, which generates a batch query from the plurality of lists of identifiers 1904 ₁-1904 _(i). The batch query is then utilized to query one or more data stores 19061-1906 _(j) for enrichment data corresponding to each of the identifiers. The server computer system 14 generates response packets that include the relevant enrichment data for each edge device 12 ₁-12 _(i) and transmits one or more response packets to each edge device 12 ₁-12 _(i).

Although the subject matter has been described in language specific to structural features or acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as examples of implementing the claims, and other equivalent features and acts are intended to be within the scope of the claims. 

What is claimed is:
 1. A computerized method comprising: obtaining input from a data stream at an electronic device, wherein the input includes machine data and the electronic device has stored thereon a first query; evaluating the first query by processing the input according to the first query; responsive to detecting a failure during evaluation of the first query resulting from a lack of enrichment data stored on the electronic device, recording a first identifier corresponding to the enrichment data; transmitting the first identifier to a remote server computer system; receiving a communication from the remote server computer system, wherein the communication includes the enrichment data; and evaluating the first query by processing second input from the data stream according to the first query and the enrichment data.
 2. The computerized method of claim 1, wherein the enrichment data includes contextual information or one or more definitions used in parsing the data stream and converting extracted data into an alternative format.
 3. The computerized method of claim 1, wherein the electronic device evaluates a plurality of queries including the first query and records a plurality of identifiers each corresponding to the enrichment data, the plurality of identifiers including the first identifier.
 4. The computerized method of claim 1, wherein the electronic device evaluates a plurality of queries including the first query and records a plurality of identifiers each corresponding to the enrichment data, the plurality of identifiers including the first identifier, and further comprising: transmitting a list of identifiers to the remote server computer system.
 5. The computerized method of claim 1, wherein the electronic device evaluates a plurality of queries including the first query and records a plurality of identifiers each corresponding to the enrichment data, the plurality of identifiers including the first identifier, and further comprising: in response to a triggering event, transmitting a list of identifiers to the remote server computer system, wherein the triggering event includes a threshold number of identifiers being recorded in the list of identifiers.
 6. The computerized method of claim 1, wherein transmitting the first identifier to a remote server computer system is performed at predetermined time intervals.
 7. The computerized method of claim 1, wherein processing the input according to the first query includes: performing a statistical analysis on at least a portion of the input, and generating a predicted status that indicates whether future input obtained by the electronic device is predicted to exceed a threshold within a time period based on an extrapolation process using a result of the statistical analysis and further comprising: responsive to determining the future input obtained by the electronic device is predicted to exceed the threshold within the time period, transmitting an alert to the remote server computer system.
 8. The computerized method of claim 1, wherein obtaining the input at the electronic device includes generating time series data, wherein the time series data comprises a sequence of data points that are associated with successive points in time, and wherein the time series data is raw machine data, and further comprising: parsing the raw machine data into a plurality of timestamped events, each timestamped event in the plurality of timestamped events comprising at least a portion of the parsed raw data.
 9. The computerized method of claim 1, wherein the machine data is one or more of sensor data, system log files, or network data.
 10. The computerized method of claim 1, wherein the enrichment data is retrieved by the remote server computer system through performance of operations including querying one or more data stores by the remote server computer system using the first identifier.
 11. A system comprising: a memory to store executable instructions; and a processing device coupled with the memory, wherein the instructions, when executed by the processing device, cause operations including: obtaining input from a data stream at an electronic device, wherein the input includes machine data, wherein the electronic device has stored thereon a first query; evaluating the first query by processing the input according to the first query; responsive to detecting a failure during evaluation of the first query resulting from a lack of enrichment data stored on the electronic device, recording a first identifier corresponding to the enrichment data; transmitting the first identifier to a remote server computer system; receiving a communication from the remote server computer system, wherein the communication includes the enrichment data; and evaluating the first query by processing second input from the data stream according to the first query and the enrichment data.
 12. The system of claim 11, wherein the enrichment data includes contextual information or one or more definitions used in parsing the data stream and converting extracted data into an alternative format.
 13. The system of claim 11, wherein the electronic device evaluates a plurality of queries including the first query and records a plurality of identifiers each corresponding to the enrichment data, the plurality of identifiers including the first identifier.
 14. The system of claim 11, wherein the electronic device evaluates a plurality of queries including the first query and records a plurality of identifiers each corresponding to the enrichment data, the plurality of identifiers including the first identifier, and further comprising: transmitting a list of identifiers to the remote server computer system.
 15. The system of claim 11, wherein the electronic device evaluates a plurality of queries including the first query and records a plurality of identifiers each corresponding to the enrichment data, the plurality of identifiers including the first identifier, and further comprising: in response to a triggering event, transmitting a list of identifiers to the remote server computer system, wherein the triggering event includes a threshold number of identifiers being recorded in the list of identifiers.
 16. The system of claim 11, wherein transmitting the first identifier to a remote server computer system is performed at predetermined time intervals.
 17. The system of claim 11, wherein processing the input according to the first query includes: performing a statistical analysis on at least a portion of the input, and generating a predicted status that indicates whether future input obtained by the electronic device is predicted to exceed a threshold within a time period based on an extrapolation process using a result of the statistical analysis and further comprising: responsive to determining the future input obtained by the electronic device is predicted to exceed the threshold within the time period, transmitting an alert to the remote server computer system.
 18. The system of claim 11, wherein obtaining the input at the electronic device includes generating time series data, wherein the time series data comprises a sequence of data points that are associated with successive points in time, and wherein the time series data is raw machine data, and further comprising: parsing the raw machine data into a plurality of timestamped events, each timestamped event in the plurality of timestamped events comprising at least a portion of the parsed raw data.
 19. The system of claim 11, wherein the machine data is one or more of sensor data, system log files, or network data.
 20. The system of claim 11, wherein the enrichment data is retrieved by the remote server computer system through performance of operations including querying one or more data stores by the remote server computer system using the first identifier. 